{ "type": "URL", "indicator": "https://mail.thecluelesscoffee.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mail.thecluelesscoffee.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3783709257, "indicator": "https://mail.thecluelesscoffee.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6583e3a2d1432cbf9054d26d", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:06.936000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6583e3acc7f464d48a3503d1", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:16.695000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658449d3f6ec1af2f3aace46", "name": "Qakbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip Qbot zip found in Reddit Honeypot link: https://www.reddit.com/user backdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware malvertizing, fraud services, leads to full control of badly compromised digital profile.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T14:21:07.435000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach", "password stealer", "active threat", "apple", "pinkslipbot", "icloud", "free", "apple" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "https://tulach.cc/ [Botnet phishing]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user [honeypot]", "beacons.bcp.gvt.com [tracking]", "https://www.norad.mil/ [tracking]", "www.norad.mil [tracking]", "www.apple.com [API property call]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "yesporn.fun", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "114.114.114.114 [Tulach | Virus Network IP]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 124, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8736, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3566, "domain": 1516, "hostname": 2221, "CVE": 6 }, "indicator_count": 17487, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aafce24b001cba328dcbc", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-12-02T04:17:18.188000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3de9eb518e46e96e9fd4", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:09.675000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3debccfb06fb9580b69d", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:11.982000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a947431aca6a0666c11b4", "name": " RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "", "modified": "2023-12-22T15:02:57.858000", "created": "2023-12-02T02:20:36.922000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655e3debccfb06fb9580b69d", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558c481715409563073cb79", "name": "Fraud Services", "description": "http://kramtechnology.com/, fraud services, network, rat, trojan, phishing, malvertizing, malware hosting, scanning host, archives browser events.", "modified": "2023-12-18T05:05:36.760000", "created": "2023-11-18T14:04:48.923000", "tags": [ "methodpost", "dropped", "contacted", "ssl certificate", "whois record", "zva8k4ghshhpcb5", "contacted urls", "q0gpyr1balpdgpo", "historical ssl", "page dow", "blacklist http", "cisco umbrella", "site", "alexa top", "safe site", "million", "paypal", "team phishing", "malicious url", "alexa", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "malware", "united", "passive dns", "scan endpoints", "all search", "otx octoseek", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "twitter", "log id", "gmtn", "sectigo rsa", "secure server", "tls web", "salford", "sectigo limited", "ocsp", "false", "california", "british virgin", "locality", "d3 a5", "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14816, "FileHash-MD5": 41, "FileHash-SHA1": 33, "FileHash-SHA256": 5158, "domain": 3758, "hostname": 2961, "email": 4, "SSLCertFingerprint": 3, "CVE": 3 }, "indicator_count": 26777, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "malicious.high.ml [dropper]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.reddit.com/user [honeypot]", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "tvapp-server.de", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "puzylyp.com [command_and_control]", "louisianarooflawyers.com [phishing]", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "http://updates.voicemailaccess.net/b0f6a00b15311023", "www.norad.mil [tracking]", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "zeustracker.abuse.ch", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "103.233.208.9 (CNC IP)", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "www.apple.com [API property call]", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "https://tulach.cc/ [phishing]", "198.54.115.46 [exploit_source]", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "gadyniw.com [command_and_control]", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "beacons.bcp.gvt.com [tracking]", "https://seedbeej.pk/tin/index.php?QBOT.zip", "galyqaz.com [command_and_control]", "114.114.114.114 [Tulach | Virus Network IP]", "photos.theleders.family", "freeimdatingsites.thomasdobo.eu", "emails.redvue.com (apple DNS w/amvima)", "https://urlscan.io/domain/maxwam.tk", "IPv4 198.54.117.218 command_and_control", "http://tracks.theleders.family", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "\u2193Interesting\u2193", "https://tulach.cc/ [Botnet phishing]", "IPv4 198.54.117.215 command_and_control", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "hasownproperty.call", "tx-p2p-pull.video-voip.com.dorm.com", "api.useragentswitch.com", "yesporn.fun", "IPv4 198.54.117.217 command_and_control", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "142.250.180.4 (init.ess)", "http://mobtrack.trkclk.net", "https://www.reddit.com/user", "nr-data.net", "*otc.greatcall.com [Botnetwork]", "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "dns.google (DNS client services - Doug Cole)", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "lyvyxor.com [command_and_control]", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.212 command_and_control", "https://www.norad.mil/ [tracking]", "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "apple-dns.net", "ransomwaretracker.abuse.ch", "IPv4 198.54.117.210 command_and_control", "gahyqah.com [command_and_control]", "apple-securityiphone-icloud.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "apex.jquery.com (scammer | works for who?)", "https://tulach.cc/ [phishing, exploits, malware spreader]", "tulach.cc. [Malevolent | Modified description]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Qbot" ], "malware_families": [ "Zbot", "Azorult", "Ramnit", "Slingshot", "Pony", "Xrat", "Nymaim", "Infy", "Unruy", "Betabot", "Hawkeye", "Gamehack", "Sality", "Dexter", "Qakbot", "Swrort", "Athena", "Spyeye", "Cutwail", "Installcore", "Quasar", "Trojanx", "Alf:cert:bandoo", "Redline stealer", "Simda", "Et", "Neutrino", "Hidelink", "Mediamagnet", "Vskimmer", "Dorkbot", "Andromeda", "States", "Citadel", "Maltiverse", "Spitmo", "Alinaos", "Bondat", "Generic", "Kraken", "Hydra", "Bambernek", "Tulach", "Virut", "Roblox", "Gregory", "Suppobox", "Adaptivebee", "Iobit", "Zeus", "Vawtrak", "Trojanspy", "Matsnu", "Plasma rat", "Ascii", "Tofsee", "Beach research", "Emotet", "Covid19", "Nsis", "Solar", "Pinkslipbot", "Webtoolbar", "Tulach malware", "Pykspa", "Artemis", "Blacknet", "Grandcrab" ], "industries": [], "unique_indicators": 101546 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/thecluelesscoffee.com", "whois": "http://whois.domaintools.com/thecluelesscoffee.com", "domain": "thecluelesscoffee.com", "hostname": "mail.thecluelesscoffee.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6583e3a2d1432cbf9054d26d", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:06.936000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6583e3acc7f464d48a3503d1", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:16.695000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658449d3f6ec1af2f3aace46", "name": "Qakbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip Qbot zip found in Reddit Honeypot link: https://www.reddit.com/user backdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware malvertizing, fraud services, leads to full control of badly compromised digital profile.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T14:21:07.435000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach", "password stealer", "active threat", "apple", "pinkslipbot", "icloud", "free", "apple" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "https://tulach.cc/ [Botnet phishing]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user [honeypot]", "beacons.bcp.gvt.com [tracking]", "https://www.norad.mil/ [tracking]", "www.norad.mil [tracking]", "www.apple.com [API property call]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "yesporn.fun", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "114.114.114.114 [Tulach | Virus Network IP]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 124, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8736, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3566, "domain": 1516, "hostname": 2221, "CVE": 6 }, "indicator_count": 17487, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aafce24b001cba328dcbc", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-12-02T04:17:18.188000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3de9eb518e46e96e9fd4", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:09.675000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mail.thecluelesscoffee.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mail.thecluelesscoffee.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776651012.8989363 }