{ "type": "URL", "indicator": "https://m1.icbcbc.com.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://m1.icbcbc.com.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3758866098, "indicator": "https://m1.icbcbc.com.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "6529c91a4f8f0c898f48088c", "name": "quick look at vk.com", "description": "", "modified": "2025-06-26T22:23:19.431000", "created": "2023-10-13T22:47:54.295000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 1981, "domain": 506, "hostname": 1258, "URL": 3080 }, "indicator_count": 6861, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a836104ede1963b0502042", "name": "Not even Google", "description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com", "modified": "2024-02-16T17:02:44.115000", "created": "2024-01-17T20:18:24.316000", "tags": [ "ssl certificate", "threat roundup", "whois record", "march", "october", "contacted", "july", "april", "june", "roundup", "august", "copy", "execution", "plugx", "goldfinder", "sibot", "hacktool", "february", "ransomexx", "ermac", "emotet", "agent tesla", "nokoyawa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1315, "URL": 1384, "domain": 327, "hostname": 516, "FileHash-MD5": 19, "FileHash-SHA1": 19 }, "indicator_count": 3580, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a975e2a76dd4ddaec80a", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "", "modified": "2023-12-06T17:03:49.269000", "created": "2023-12-06T17:03:49.269000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "FileHash-SHA1": 545, "FileHash-MD5": 1071 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8ec0568abca6f44e16f", "name": "quick look at vk.com", "description": "", "modified": "2023-12-06T17:01:32.275000", "created": "2023-12-06T17:01:32.275000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1981, "domain": 506, "hostname": 1262, "URL": 3080, "FileHash-MD5": 18, "FileHash-SHA1": 18 }, "indicator_count": 6865, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a823f8dbade2ab32ee77", "name": "Remote Access |Trick Clicks | C2 | False evidence appearing real. Content reputation.", "description": "", "modified": "2023-12-06T16:58:11.569000", "created": "2023-12-06T16:58:11.569000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-SHA256": 598, "hostname": 403, "domain": 583, "URL": 1814, "FileHash-MD5": 175, "FileHash-SHA1": 95 }, "indicator_count": 3675, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6a1be1f5233855ae116", "name": "Communication Device exploit", "description": "", "modified": "2023-12-06T16:51:45.122000", "created": "2023-12-06T16:51:45.122000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1682, "domain": 434, "hostname": 678, "FileHash-SHA1": 32, "URL": 4050, "FileHash-MD5": 32 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a684ac21d7733c8e1041", "name": "Remcos \u2022 Communication Device exploit \u2022 C2", "description": "", "modified": "2023-12-06T16:51:16.351000", "created": "2023-12-06T16:51:16.351000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1682, "domain": 434, "hostname": 678, "FileHash-SHA1": 32, "URL": 4050, "FileHash-MD5": 32 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a64f0bda3d89bf44603f", "name": "Remcos \u2022 Communication Device exploit \u2022 C2", "description": "", "modified": "2023-12-06T16:50:23.738000", "created": "2023-12-06T16:50:23.738000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1682, "domain": 434, "hostname": 678, "FileHash-SHA1": 32, "URL": 4050, "FileHash-MD5": 32 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cc4de6aa3848c3722e9a6", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "Serious concerns. Approached, threatened & told no cyber tool or literature would help me by a stranger in public place seconds after a male demanded to know if I had a SQL book or knowledge, asked for phone #, a date , to buy only 2 books and come with him? WHAT? He really wanted my number not me. he got so close to, I thought he had a wearable hacktool device. Ongoing. I realized dumping when I typed, the letter T only for another search term, results = Tsara Brashears dead? Clean search browser history. No Auto DL file titled: government Qbot Qakbot?! I couldn't open it. Last night I got a free unauthorized penetration test, apps, awful attack. Adult content dumping from listed in references. . I don't attack is China based despite server locations.. It's too easy to appear to be attacking from another country. Can't make it up. Ongoing long. Major disruption. Issue predates research.", "modified": "2023-11-15T01:03:46.666000", "created": "2023-10-16T05:06:38.412000", "tags": [ "whois record", "tsara brashears", "contacted", "threat roundup", "whois whois", "remcos", "iocs", "cyberstalking", "cry kill", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "malware", "awful", "open", "korplug", "execution", "pe resource", "referrer", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "quasar", "ursnif", "name verdict", "falcon sandbox", "sha256", "size", "sha1", "show process", "runtime process", "unicode", "crlf line", "ascii text", "mitre att", "type data", "hybrid", "general", "local", "path", "click", "strings", "nanjing xinfeng", "xiongmao group", "road descr", "district", "nanjing", "jiangsu", "china country", "apnic irt", "beijing", "china email", "copy md5", "copy sha1", "copy sha256", "AMERICA", "threat", "cyber criminal", "teams", "bounce", "Please Stop \u2205", "eminent threat", "Apple", "Android", "adversarial", "injection", "Tulach.cc malware", "scanning_host", "exploit_source", "ransomware" ], "references": [ "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "114.114.114.114", "http://login.live.com/oauth20_remoteconnect.srf", "a-poster.info", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "[Unnamed Teams Hacking Group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Wanna Cry Kill Switch", "display_name": "Wanna Cry Kill Switch", "target": null }, { "id": "RansomEXX (Windows)", "display_name": "RansomEXX (Windows)", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "FileHash-SHA256": 1478, "domain": 290, "hostname": 1047, "FilePath": 2, "Mutex": 1, "CVE": 2, "CIDR": 1, "email": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "886 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1c989df5416bd0ff3d38", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "", "modified": "2023-11-14T17:01:45.019000", "created": "2023-10-30T03:01:44.846000", "tags": [ "whois record", "historical ssl", "ssl certificate", "communicating", "referrer", "united", "mail spammer", "detection list", "ip address", "blacklist", "possiblecerber", "outlook", "covid19", "artemis", "unsafe", "cisco umbrella", "site", "safe site", "phishing site", "malicious site", "malware", "malware site", "alexa top", "million", "phishingms", "exploit", "live", "blacklist https", "javascript", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "p3p cp", "pragma", "whois whois", "contacted", "threat network", "pe resource", "uatrue url", "typepv", "probe", "execution", "core", "emotet", "remcos", "nokoyawa", "asyncrat", "heur", "anonymizer", "firehol", "trojanx", "agent", "riskware", "trojan", "binder", "small", "downloader", "hupigon", "crypt", "cobalt strike", "union", "team", "agent tesla", "malicious", "fakealert", "dbatloader", "stealer", "nanocore rat", "formbook", "dropper", "dridex", "hawkeye", "netwire", "download", "opencandy", "bladabindi", "phishing", "bank", "alexa", "trojanspy", "maltiverse", "uatrue", "processorx86", "langen", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "injected", "mitre", "attack", "cybercrime", "Suspicious.Save", "dns server", "scanning ip's", "Backdoor.Remcos", "Threats200220200050", "IOC_19052020", "behaves like emotet" ], "references": [ "https://login.live.com/oauth20_remoteconnect.srf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "HawkEye Keylogger", "display_name": "HawkEye Keylogger", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Application.Generic", "display_name": "Application.Generic", "target": null }, { "id": "Backdoor.RemoteManipulator", "display_name": "Backdoor.RemoteManipulator", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "XOR.DDoS", "display_name": "XOR.DDoS", "target": null }, { "id": "Backdoor.Remcos", "display_name": "Backdoor.Remcos", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "652c33c45c1f1566c4b8c6a2", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1071, "FileHash-SHA1": 545, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "CVE": 8 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652c33c45c1f1566c4b8c6a2", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "https://login.live.com/oauth20_remoteconnect.srf\nInvalid CRDS Token\nI suffered quite an attack on my devices. My personal experience, phone service changed, embedding., privilege escalation adversaries, remote probe, obvious unauthorized microsoft usage multiple logins. embedded phone service apps, injected, unknown apps, dumping. connect/shared/ tethered to other clouds, apps devices, decrypted phone., cookies turned off after attack, no Google, other search engine access, passwords compromised malicious Google sorry index w/Azorult. I am targeted. Usual suspects\nPrior: 'D241 connect test was successful messages'. Wifi and cellular issues.\nAftermath, Zombie devices. C2. Calls don't connect, keyloggers, etc", "modified": "2023-11-14T17:01:45.019000", "created": "2023-10-15T18:47:32.354000", "tags": [ "whois record", "historical ssl", "ssl certificate", "communicating", "referrer", "united", "mail spammer", "detection list", "ip address", "blacklist", "possiblecerber", "outlook", "covid19", "artemis", "unsafe", "cisco umbrella", "site", "safe site", "phishing site", "malicious site", "malware", "malware site", "alexa top", "million", "phishingms", "exploit", "live", "blacklist https", "javascript", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "p3p cp", "pragma", "whois whois", "contacted", "threat network", "pe resource", "uatrue url", "typepv", "probe", "execution", "core", "emotet", "remcos", "nokoyawa", "asyncrat", "heur", "anonymizer", "firehol", "trojanx", "agent", "riskware", "trojan", "binder", "small", "downloader", "hupigon", "crypt", "cobalt strike", "union", "team", "agent tesla", "malicious", "fakealert", "dbatloader", "stealer", "nanocore rat", "formbook", "dropper", "dridex", "hawkeye", "netwire", "download", "opencandy", "bladabindi", "phishing", "bank", "alexa", "trojanspy", "maltiverse", "uatrue", "processorx86", "langen", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "injected", "mitre", "attack", "cybercrime", "Suspicious.Save", "dns server", "scanning ip's", "Backdoor.Remcos", "Threats200220200050", "IOC_19052020", "behaves like emotet" ], "references": [ "https://login.live.com/oauth20_remoteconnect.srf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "HawkEye Keylogger", "display_name": "HawkEye Keylogger", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Application.Generic", "display_name": "Application.Generic", "target": null }, { "id": "Backdoor.RemoteManipulator", "display_name": "Backdoor.RemoteManipulator", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "XOR.DDoS", "display_name": "XOR.DDoS", "target": null }, { "id": "Backdoor.Remcos", "display_name": "Backdoor.Remcos", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1071, "FileHash-SHA1": 545, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "CVE": 8 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "887 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1b570ce3f6227774113b", "name": "Remote Access |Trick Clicks | C2 | False evidence appearing real. ", "description": "", "modified": "2023-11-07T08:04:06.581000", "created": "2023-10-30T02:56:23.462000", "tags": [ "heur", "cyber threat", "engineering", "covid19", "united", "phishing site", "telefonica peru", "malicious site", "control server", "phishing", "suppobox", "malware", "team", "ransomware", "download", "facebook", "daum", "cobalt strike", "pony", "artemis", "simda", "sodinokibi", "zbot", "bank", "feodo", "laplasclipper", "squirrelwaffle", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "revil", "matsnu", "service", "generic", "malicious", "emotet", "br", "trojanspy", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware site", "blacklist", "alexa", "malicious url", "detection list", "INDICATOR ROLE TITLE DESCRIPTION EXPIRATION RELATED PULSES URL ", "C2", "command_and_control", "nr-data", "cyber crime", "impersonation", "fraud", "intellectual property", "targets", "kedence", "song culture", "tsara lynn", "k\u00e9dence", "tsara", "tsara brashears", "social engineering", "interface exchange", "abuse", "privilege", "indicator", "file", "pattern match", "ascii text", "appdata", "windows nt", "script", "mitre att", "ck id", "show technique", "hybrid", "general", "local", "forced login", "content reputation", "reputation", "scheme", "crime", "cyber criminals", "arizona", "colorado", "newyork", "british", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata alerts", "event category", "description sid", "suricata", "suricata", "cloud", "device remotwd", "remote attack", "remote controlled devices", "tracking", "spyware", "florida", "united states", "canada", "estonia", "cyber criminal", "alert" ], "references": [ "smartwishlist_1_.js", "https://www.hybrid-analysis.com/sample/ef02a04e1487fd373923ef2aa42b3d9af8d5fd600e5198150283b31aa7ed7558", "CVE-2012-1856", "CVE-2013-1331", "CVE-2017-8570", "CVE-2017-0147", "CVE-2017-11882", "CVE-2017-0199", "CVE-2018-8453", "https://the.sciencebehindecommerce.com/d9core", "https://pixel.tapad.com/idsync/ex/push static-tracking.klaviyo.com u002dtracking.klaviyo.com", "https://www.miraclebrand.co/apps/wonderment/tracking", "remote-access.net", "dev.remote-access.net", "hubspot.remote-access.net", "http://avient.remote-access.net/", "qa.remote-access.net", "http://www.remote-access.net", "https://avient.remote-access.net", "bam.nr-data.net", "appleaccessory.online", "init.ess.apple.com", "tv.apple.com", "http://icloud.ypcdce.com", "dr4qe3ddw9y32.cloudfront.net", "http://45.159.189.105/bot/regex", "http://clipper.guru/bot/regex", "http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34", "cloud.smartwishlist.webmarked.net", "http://dialacake.com/mumbai/yellow-pineapple-cake-2770.html", "https://hubspot.remote-access.net", "icloud.ypcdce.com", "Research and Data analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BR", "display_name": "BR", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Emotet - S0367", "display_name": "Emotet - S0367", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Virus:Win32/Daum", "display_name": "Virus:Win32/Daum", "target": "/malware/Virus:Win32/Daum" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Backdoor:PHP/Artemis", "display_name": "Backdoor:PHP/Artemis", "target": "/malware/Backdoor:PHP/Artemis" }, { "id": "TEL:HackTool:Win32/ArtemisUser", "display_name": "TEL:HackTool:Win32/ArtemisUser", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "REvil (ELF)", "display_name": "REvil (ELF)", "target": null }, { "id": "Trojan:Win32/Matsnu", "display_name": "Trojan:Win32/Matsnu", "target": "/malware/Trojan:Win32/Matsnu" }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "6522804c01930c8d2f1ad71f", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "hostname": 403, "domain": 583, "URL": 1814, "FileHash-MD5": 175, "FileHash-SHA1": 95, "FileHash-SHA256": 598 }, "indicator_count": 3675, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6522804c01930c8d2f1ad71f", "name": "Remote Access |Trick Clicks | C2 | False evidence appearing real. Content reputation.", "description": "Unrelated websites successfully flood , and dismantle reputations, marketing efforts of targets who has and lost 100% online visibility. Cyber criminals set up malicious websites, that drive down reputation, relevant media of target. The domains are traps popular w/some hackers or malicious red team groups typically hired by attorneys. Clicks, revenue flow to cyber criminals through malicious redirects, AGGRESSIVE social engineering, intellectual property abuse and obnoxious distraction. Contact is often made to trick target into believing their is interested in their product, body of work. Legal docs or funds may be exchange, giving cyber criminal access, email, clouds, Dropbox, forced login abuse, cloud share, phone number, C2, payment methods, banking, privilege to distribute, falsify ad campaigns of target. It's complicated but practices to frustrate , impoverish, profit, track, silence target. Malicious intent. Heavy tracking, core communication service swap.", "modified": "2023-11-07T08:04:06.581000", "created": "2023-10-08T10:11:22.600000", "tags": [ "heur", "cyber threat", "engineering", "covid19", "united", "phishing site", "telefonica peru", "malicious site", "control server", "phishing", "suppobox", "malware", "team", "ransomware", "download", "facebook", "daum", "cobalt strike", "pony", "artemis", "simda", "sodinokibi", "zbot", "bank", "feodo", "laplasclipper", "squirrelwaffle", "binder", "virut", "ramnit", "dropper", "formbook", "azorult", "revil", "matsnu", "service", "generic", "malicious", "emotet", "br", "trojanspy", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware site", "blacklist", "alexa", "malicious url", "detection list", "INDICATOR ROLE TITLE DESCRIPTION EXPIRATION RELATED PULSES URL ", "C2", "command_and_control", "nr-data", "cyber crime", "impersonation", "fraud", "intellectual property", "targets", "kedence", "song culture", "tsara lynn", "k\u00e9dence", "tsara", "tsara brashears", "social engineering", "interface exchange", "abuse", "privilege", "indicator", "file", "pattern match", "ascii text", "appdata", "windows nt", "script", "mitre att", "ck id", "show technique", "hybrid", "general", "local", "forced login", "content reputation", "reputation", "scheme", "crime", "cyber criminals", "arizona", "colorado", "newyork", "british", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata alerts", "event category", "description sid", "suricata", "suricata", "cloud", "device remotwd", "remote attack", "remote controlled devices", "tracking", "spyware", "florida", "united states", "canada", "estonia", "cyber criminal", "alert" ], "references": [ "smartwishlist_1_.js", "https://www.hybrid-analysis.com/sample/ef02a04e1487fd373923ef2aa42b3d9af8d5fd600e5198150283b31aa7ed7558", "CVE-2012-1856", "CVE-2013-1331", "CVE-2017-8570", "CVE-2017-0147", "CVE-2017-11882", "CVE-2017-0199", "CVE-2018-8453", "https://the.sciencebehindecommerce.com/d9core", "https://pixel.tapad.com/idsync/ex/push static-tracking.klaviyo.com u002dtracking.klaviyo.com", "https://www.miraclebrand.co/apps/wonderment/tracking", "remote-access.net", "dev.remote-access.net", "hubspot.remote-access.net", "http://avient.remote-access.net/", "qa.remote-access.net", "http://www.remote-access.net", "https://avient.remote-access.net", "bam.nr-data.net", "appleaccessory.online", "init.ess.apple.com", "tv.apple.com", "http://icloud.ypcdce.com", "dr4qe3ddw9y32.cloudfront.net", "http://45.159.189.105/bot/regex", "http://clipper.guru/bot/regex", "http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34", "cloud.smartwishlist.webmarked.net", "http://dialacake.com/mumbai/yellow-pineapple-cake-2770.html", "https://hubspot.remote-access.net", "icloud.ypcdce.com", "Research and Data analysis" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BR", "display_name": "BR", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Emotet - S0367", "display_name": "Emotet - S0367", "target": null }, { "id": "Squirrelwaffle", "display_name": "Squirrelwaffle", "target": null }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Virus:Win32/Daum", "display_name": "Virus:Win32/Daum", "target": "/malware/Virus:Win32/Daum" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Backdoor:PHP/Artemis", "display_name": "Backdoor:PHP/Artemis", "target": "/malware/Backdoor:PHP/Artemis" }, { "id": "TEL:HackTool:Win32/ArtemisUser", "display_name": "TEL:HackTool:Win32/ArtemisUser", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "REvil (ELF)", "display_name": "REvil (ELF)", "target": null }, { "id": "Trojan:Win32/Matsnu", "display_name": "Trojan:Win32/Matsnu", "target": "/malware/Trojan:Win32/Matsnu" }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony - S0453", "display_name": "Pony - S0453", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "hostname": 403, "domain": 583, "URL": 1814, "FileHash-MD5": 175, "FileHash-SHA1": 95, "FileHash-SHA256": 598 }, "indicator_count": 3675, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f13c8ed1904a82c5615e1", "name": "Remcos \u2022 Communication Device exploit \u2022 C2", "description": "", "modified": "2023-10-30T02:24:08.053000", "created": "2023-10-30T02:24:08.053000", "tags": [ "threat roundup", "referrer", "communicating", "ssl certificate", "historical ssl", "apple", "execution", "core", "ursnif", "hacktool", "remcos", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata alerts", "event category", "description sid", "nr-data", "target", "walker", "pornhub", "exploit", "issues", "js user" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "65134045c1fc19331472ef05", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 1682, "URL": 4050, "domain": 434, "hostname": 678 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6511134ea6ee89ec55836a41", "name": "Remcos \u2022 Communication Device exploit \u2022 C2", "description": "Apple iOS exploit", "modified": "2023-10-25T04:00:03.254000", "created": "2023-09-25T04:57:50.258000", "tags": [ "threat roundup", "referrer", "communicating", "ssl certificate", "historical ssl", "apple", "execution", "core", "ursnif", "hacktool", "remcos", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata alerts", "event category", "description sid", "nr-data", "target", "walker", "pornhub", "exploit", "issues", "js user" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 1682, "URL": 4050, "domain": 434, "hostname": 678 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "907 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651349817011ab7e29b7e305", "name": "Communication Device exploit", "description": "", "modified": "2023-10-25T04:00:03.254000", "created": "2023-09-26T21:13:37.864000", "tags": [ "threat roundup", "referrer", "communicating", "ssl certificate", "historical ssl", "apple", "execution", "core", "ursnif", "hacktool", "remcos", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata alerts", "event category", "description sid", "nr-data", "target", "walker", "pornhub", "exploit", "issues", "js user" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "6511134ea6ee89ec55836a41", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 1682, "URL": 4050, "domain": 434, "hostname": 678 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "907 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65134045c1fc19331472ef05", "name": "Remcos \u2022 Communication Device exploit \u2022 C2", "description": "", "modified": "2023-10-25T04:00:03.254000", "created": "2023-09-26T20:34:13.879000", "tags": [ "threat roundup", "referrer", "communicating", "ssl certificate", "historical ssl", "apple", "execution", "core", "ursnif", "hacktool", "remcos", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata alerts", "event category", "description sid", "nr-data", "target", "walker", "pornhub", "exploit", "issues", "js user" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "6511134ea6ee89ec55836a41", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 1682, "URL": 4050, "domain": 434, "hostname": 678 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "907 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "icloud.ypcdce.com", "http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34", "dev.remote-access.net", "http://clipper.guru/bot/regex", "https://avient.remote-access.net", "cloud.smartwishlist.webmarked.net", "CVE-2012-1856", "hubspot.remote-access.net", "http://www.remote-access.net", "114.114.114.114", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://hubspot.remote-access.net", "CVE-2017-0147", "CVE-2017-0199", "http://45.159.189.105/bot/regex", "tv.apple.com", "appleaccessory.online", "CVE-2018-8453", "https://the.sciencebehindecommerce.com/d9core", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "https://pixel.tapad.com/idsync/ex/push static-tracking.klaviyo.com u002dtracking.klaviyo.com", "http://icloud.ypcdce.com", "https://www.miraclebrand.co/apps/wonderment/tracking", "a-poster.info", "http://dialacake.com/mumbai/yellow-pineapple-cake-2770.html", "CVE-2017-8570", "init.ess.apple.com", "qa.remote-access.net", "http://login.live.com/oauth20_remoteconnect.srf", "remote-access.net", "dr4qe3ddw9y32.cloudfront.net", "CVE-2017-11882", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "smartwishlist_1_.js", "https://login.live.com/oauth20_remoteconnect.srf", "bam.nr-data.net", "https://www.hybrid-analysis.com/sample/ef02a04e1487fd373923ef2aa42b3d9af8d5fd600e5198150283b31aa7ed7558", "CVE-2013-1331", "Research and Data analysis", "http://avient.remote-access.net/", "https://www.sweetheartvideo.com/tsara-brashears/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed Teams Hacking Group]" ], "malware_families": [ "Dark power", "Backdoor:win32/simda", "Quasar rat", "Daxin", "Dridex", "Backdoor.remotemanipulator", "Xor.ddos", "Zeus", "Virus:win32/daum", "Feodo", "Backdoor.remcos", "Njrat - s0385", "Remcos", "Ransomexx (windows)", "Emotet - s0367", "Formbook", "Backdoor:php/artemis", "Suppobox", "Squirrelwaffle", "Suspicious.save", "Laplasclipper", "Trojan:win32/matsnu", "Backdoor:win32/zbot", "Gen:heur.ransom.hiddentears", "Maltiverse", "Tel:hacktool:win32/artemisuser", "Trojanspy", "Pony - s0453", "Ransomware", "Cobalt strike", "Ramnit", "Azorult - s0344", "Br", "Nanocore rat", "Virut", "Wanna cry kill switch", "Revil (elf)", "Qakbot - s0650", "Hawkeye keylogger", "Application.generic", "Agent tesla - s0331" ], "industries": [], "unique_indicators": 36455 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/icbcbc.com.cn", "whois": "http://whois.domaintools.com/icbcbc.com.cn", "domain": "icbcbc.com.cn", "hostname": "m1.icbcbc.com.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "6529c91a4f8f0c898f48088c", "name": "quick look at vk.com", "description": "", "modified": "2025-06-26T22:23:19.431000", "created": "2023-10-13T22:47:54.295000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 1981, "domain": 506, "hostname": 1258, "URL": 3080 }, "indicator_count": 6861, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a836104ede1963b0502042", "name": "Not even Google", "description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com", "modified": "2024-02-16T17:02:44.115000", "created": "2024-01-17T20:18:24.316000", "tags": [ "ssl certificate", "threat roundup", "whois record", "march", "october", "contacted", "july", "april", "june", "roundup", "august", "copy", "execution", "plugx", "goldfinder", "sibot", "hacktool", "february", "ransomexx", "ermac", "emotet", "agent tesla", "nokoyawa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1315, "URL": 1384, "domain": 327, "hostname": 516, "FileHash-MD5": 19, "FileHash-SHA1": 19 }, "indicator_count": 3580, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a975e2a76dd4ddaec80a", "name": "Remote Access attack | Agent Tesla | C2 | BatLoader | C2 | Dridex", "description": "", "modified": "2023-12-06T17:03:49.269000", "created": "2023-12-06T17:03:49.269000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-SHA256": 2173, "domain": 584, "hostname": 1707, "URL": 4145, "FileHash-SHA1": 545, "FileHash-MD5": 1071 }, "indicator_count": 10233, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8ec0568abca6f44e16f", "name": "quick look at vk.com", "description": "", "modified": "2023-12-06T17:01:32.275000", "created": "2023-12-06T17:01:32.275000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1981, "domain": 506, "hostname": 1262, "URL": 3080, "FileHash-MD5": 18, "FileHash-SHA1": 18 }, "indicator_count": 6865, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a823f8dbade2ab32ee77", "name": "Remote Access |Trick Clicks | C2 | False evidence appearing real. Content reputation.", "description": "", "modified": "2023-12-06T16:58:11.569000", "created": "2023-12-06T16:58:11.569000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-SHA256": 598, "hostname": 403, "domain": 583, "URL": 1814, "FileHash-MD5": 175, "FileHash-SHA1": 95 }, "indicator_count": 3675, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6a1be1f5233855ae116", "name": "Communication Device exploit", "description": "", "modified": "2023-12-06T16:51:45.122000", "created": "2023-12-06T16:51:45.122000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1682, "domain": 434, "hostname": 678, "FileHash-SHA1": 32, "URL": 4050, "FileHash-MD5": 32 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a684ac21d7733c8e1041", "name": "Remcos \u2022 Communication Device exploit \u2022 C2", "description": "", "modified": "2023-12-06T16:51:16.351000", "created": "2023-12-06T16:51:16.351000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1682, "domain": 434, "hostname": 678, "FileHash-SHA1": 32, "URL": 4050, "FileHash-MD5": 32 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a64f0bda3d89bf44603f", "name": "Remcos \u2022 Communication Device exploit \u2022 C2", "description": "", "modified": "2023-12-06T16:50:23.738000", "created": "2023-12-06T16:50:23.738000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1682, "domain": 434, "hostname": 678, "FileHash-SHA1": 32, "URL": 4050, "FileHash-MD5": 32 }, "indicator_count": 6908, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cc4de6aa3848c3722e9a6", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "Serious concerns. Approached, threatened & told no cyber tool or literature would help me by a stranger in public place seconds after a male demanded to know if I had a SQL book or knowledge, asked for phone #, a date , to buy only 2 books and come with him? WHAT? He really wanted my number not me. he got so close to, I thought he had a wearable hacktool device. Ongoing. I realized dumping when I typed, the letter T only for another search term, results = Tsara Brashears dead? Clean search browser history. No Auto DL file titled: government Qbot Qakbot?! I couldn't open it. Last night I got a free unauthorized penetration test, apps, awful attack. Adult content dumping from listed in references. . I don't attack is China based despite server locations.. It's too easy to appear to be attacking from another country. Can't make it up. Ongoing long. Major disruption. Issue predates research.", "modified": "2023-11-15T01:03:46.666000", "created": "2023-10-16T05:06:38.412000", "tags": [ "whois record", "tsara brashears", "contacted", "threat roundup", "whois whois", "remcos", "iocs", "cyberstalking", "cry kill", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "malware", "awful", "open", "korplug", "execution", "pe resource", "referrer", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "quasar", "ursnif", "name verdict", "falcon sandbox", "sha256", "size", "sha1", "show process", "runtime process", "unicode", "crlf line", "ascii text", "mitre att", "type data", "hybrid", "general", "local", "path", "click", "strings", "nanjing xinfeng", "xiongmao group", "road descr", "district", "nanjing", "jiangsu", "china country", "apnic irt", "beijing", "china email", "copy md5", "copy sha1", "copy sha256", "AMERICA", "threat", "cyber criminal", "teams", "bounce", "Please Stop \u2205", "eminent threat", "Apple", "Android", "adversarial", "injection", "Tulach.cc malware", "scanning_host", "exploit_source", "ransomware" ], "references": [ "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "114.114.114.114", "http://login.live.com/oauth20_remoteconnect.srf", "a-poster.info", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "[Unnamed Teams Hacking Group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Wanna Cry Kill Switch", "display_name": "Wanna Cry Kill Switch", "target": null }, { "id": "RansomEXX (Windows)", "display_name": "RansomEXX (Windows)", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "FileHash-SHA256": 1478, "domain": 290, "hostname": 1047, "FilePath": 2, "Mutex": 1, "CVE": 2, "CIDR": 1, "email": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "886 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://m1.icbcbc.com.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://m1.icbcbc.com.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641968.101751 }