{ "type": "URL", "indicator": "https://m.int.link2tenant.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://m.int.link2tenant.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3849911816, "indicator": "https://m.int.link2tenant.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e576d419524d75af35a36e", "name": "FormBook", "description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:23:00.177000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "746 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e57f32581a900dfb272d05", "name": "FormBook | 172.31.13.249", "description": "", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:58:42.074000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": "65e576d419524d75af35a36e", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "746 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "qlw020.managed-sprint.dynalabs.io (Check)", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "172.31.13.249", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "Login privileges", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "http://129.2.4.2/32 Lencr", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "The Scottish Government www.gov.scot The NHS Scotland support", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Unsupported/Fake Windows NT Version 5.0", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "gstatic.com", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO" ], "malware_families": [ "Win.packer", "Backdoor:win32/tofsee.", "Pws:msil/dcstl.gd!mtb", "Trojan:win32/antavmu.d", "Trojan:win32/zombie.a", "Autoit", "Worm:win32/mofksys.rnd!mtb", "Trojan:win32/dorv.b!rfn", "Win.dropper.vbclone", "#lowfi:sigattr:downloadandexecute", "Formbook", "Upatre", "Win32:malwarex-gen\\ [trj]", "Trojan:win32/qqpass", "Ransom:win32/crowti", "#lowfi:hstr:msil/possibledownloader.s01" ], "industries": [], "unique_indicators": 23185 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/link2tenant.com", "whois": "http://whois.domaintools.com/link2tenant.com", "domain": "link2tenant.com", "hostname": "m.int.link2tenant.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68fbc84609098d17c316f23c", "name": "NSO - Multiple crimes", "description": "Multiple crimes including illegal gambling, loan sharking, cybercrimes , content reputation , instructions. Starfield seen again. Team 8 has seen Starfield in more than 300 pulses. Now it\u2019s gone. Check your devices for innocent looking searches you\u2019ve never searched. Browser extensions found on 3 targeted devices with an adversary with full CnC armed with a deletion and disk wipe service. Local - Denver. \n\nAlso, very concerning is specific Airline to be attacked revealed. It cant be researched without bringing down a flight or messing up air command & control. DJT has already made travel a risky feat by being influenced to fire the (NOAA) & (DOT). Its manipulation. PP Mafia bros. \n\nDoes anyone have any power? Contact someone. We did have a mystery plane incident in Denver after I first reported. Just space junk , ya know the usual. I am serious about preventing crime. I need some help!", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-24T18:41:10.936000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fc18514965ccd3b55c216d", "name": "Dorv \u2022 Obfuscator - Affecting DropBox", "description": "", "modified": "2025-11-23T17:00:58.297000", "created": "2025-10-25T00:22:41.686000", "tags": [ "type indicator", "added active", "related pulses", "script urls", "united", "unknown ns", "a domains", "ip address", "meta", "asn as13335", "msie", "chrome", "ransom", "trojan", "passive dns", "backdoor", "http request", "twitter", "win32/crix.c check-in", "gmt content", "ipv4", "urls", "files", "data upload", "extraction", "domain add", "e emeseieee", "dynamicloader", "e eue", "eweienedeoewese", "windows nt", "wow64", "slcc2", "media center", "edeeefeaeuelete", "unknown", "write", "bits", "malware", "xserver", "encrypt", "unknown aaaa", "moved", "cloudfront x", "hio52 p1", "name servers", "accept encoding", "emails", "servers", "extr", "u a640", "a69f u", "fe2e fe2f", "u a720", "a7ff", "u feff", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "null", "body", "pizza", "friday", "hybrid", "general", "local", "path", "starfield", "iframe", "click", "strings", "core", "bet", "gambling", "record value", "date", "present sep", "present apr", "colombia", "present jun", "present nov", "cookie", "present oct", "entries", "next associated", "error", "attack", "government", "scotland", "news", "covid19", "subscribe", "october", "crown copyright", "nhs scotland", "parliament", "coronavirus", "redacted for", "domain status", "server", "privacy tech", "privacy admin", "email", "country", "postal code", "stateprovince", "code", "host name", "rdap database", "handle", "iana registrar", "entity roles", "links", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "validity", "subject public", "key info", "medium", "write c", "search", "pe file", "high", "checks", "http", "delete", "copy", "guard", "mozilla", "next", "godaddy", "creation date", "hostname", "pulse submit", "url analysis", "domain", "files ip", "trojandropper", "mtb oct", "mtb may", "refloadapihash", "foundry", "fastly", "value a", "com laude", "ltd dba", "nomiq", "limited dba", "pulse", "location united", "asn asnone", "nameservers" ], "references": [ "giovannisnypizza.net \u2022 http://www.giovannisnypizza.net \u2022", "fazendabetb.live \u2022 bowiesports.com Check first???", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino", "www.cricx1bet99.com \u2022 cricx1bet99.com \u2022 bulgariabet.bg \u2022", "05bet99.bet \u2022 app.05bet99.bet \u2022 betterlifeschool.kr \u2022 bbrbet.today", "coinbasecnext.com \u2022 e-coinpayments.com \u2022 e-coinpayments.com", "cashloanboat.com \u2022 mx-loans-5o.today\u2022 nodoccommercialloan", "cashloanboat.com \u2022 https://dym168.org/cashoutwithclonedcards", "http://kittelsoncarpo.com/business-registration/online-gaming-betting-casino/", "m.casinometropol225.com \u2022 casinometropol285.com \u2022 http://bonus.casinometropol285.com \u2022", "https://bonus.casinometropol285.com \u2022 www.aksescasinobet77.icu bonus.casinometropol285.com \u2022", "Interesting: app.master.legalaid-vic-gov-au.sdp4.sdp.vic.gov.au", "Bogota: anla.gov.co | ( gov.scot? Government/Legal (alphaMountain.ai))", "The Scottish Government www.gov.scot The NHS Scotland support", "http://129.2.4.2/32 Lencr", "qlw020.managed-sprint.dynalabs.io (Check)", "brave-ohttp-relay-dev.fastly-edge.com (Palantir)", "ims.foundryfabrication.co.uk \u2022 timelog.foundryfabrication.co.uk \u2022 ims.foundryfabrication.co", "151.101.195.19 In CDN range: provider=fastly \u2022 https://docs.fastly.com/en/guides/common \u2022 fastly.com", "vb.cu \u2022 vb \u2022 vb.il \u2022 vb.cu \u2022 vb.il \u2022 docs.fastly.com \u2022 docs.fastly.com", "ExternalHosts: US", "Starfield again - HoneyPot / Dod- DoW", "\u2018Starfield\u2019 Seen in a \u2018DoD\u2019 related wheelchair malfunction", "Red Team Abuse? Starfield ? DoD related (Palantir) https://] bethesda[.]net - Spyware", "https://otx.alienvault.com/pulse/68e2db3a16fcfd7d323f105b" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Germany", "Bulgaria", "Singapore", "Denmark", "Australia", "Jersey", "Japan", "Canada" ], "malware_families": [ { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Autoit", "display_name": "Autoit", "target": null }, { "id": "Ransom:Win32/Crowti", "display_name": "Ransom:Win32/Crowti", "target": "/malware/Ransom:Win32/Crowti" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#Lowfi:SIGATTR:DownloadAndExecute", "display_name": "#Lowfi:SIGATTR:DownloadAndExecute", "target": null }, { "id": "Win.Dropper.Vbclone", "display_name": "Win.Dropper.Vbclone", "target": null }, { "id": "Win.Packer", "display_name": "Win.Packer", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "68fbc84609098d17c316f23c", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6261, "domain": 1806, "hostname": 2427, "FileHash-MD5": 384, "FileHash-SHA1": 381, "email": 13, "FileHash-SHA256": 1418, "SSLCertFingerprint": 14 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e576d419524d75af35a36e", "name": "FormBook", "description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:23:00.177000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "746 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e57f32581a900dfb272d05", "name": "FormBook | 172.31.13.249", "description": "", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:58:42.074000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": "65e576d419524d75af35a36e", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "746 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://m.int.link2tenant.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://m.int.link2tenant.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776611577.4562275 }