{ "type": "URL", "indicator": "https://mails.familiemeister.ch", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mails.familiemeister.ch", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3084250654, "indicator": "https://mails.familiemeister.ch", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6580d422fb57aab8e21c1f39", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password", "description": "Deeply hidden inRallypoint.com. \nWitchetty cyber espionage: Witchetty's activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload.\n\nBlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and \nDalbit APT Group targets vulnerable servers to breach information including internal data from companies or encrypts files may demand money.", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-18T23:22:10.482000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d83bfd115be1f92d75a9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:55.338000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d83e20634ac0d58ceca9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:58.995000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65576cfc8a3c48947d76db0e", "name": "Apple Private Data Collection Data.net\u2192Asp.net", "description": "APDC became apparent to me when it showed up in plain text on a discarded iOS belonging to target. Fraud services puts target in jeopardy, tracking, location hunting, listening, camera , access, photo access, message, threats via digital communication, emails archived, hidden users, social engineering, drive by app chooser, no click attacks.", "modified": "2023-12-17T12:01:00.032000", "created": "2023-11-17T13:39:08.903000", "tags": [ "url http", "entries", "apple private data collection", "whois record", "contacted", "ssl certificate", "execution", "communicating", "referrer", "historical ssl", "tsara brashears", "collections dns", "rwi dtools", "relic", "monitoring", "vidar", "remcos", "august", "nanocore rat", "malware", "name verdict", "pattern match", "script", "beginstring", "mitre att", "misc attack", "ascii text", "null", "ck id", "show technique", "ck matrix", "date", "unknown", "error", "refresh", "span", "tools", "body", "class", "generator", "critical", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings", "http://114.114.114.114:90/login", "brian sabey", "hallrender", "malvertizing", "dumping", "framing", "fraud services", "trojan", "command_and_control", "silencing", "retaliation", "cyber threat", "confusing", "impersonation", "network rat", "privilege abuse", "hijacker" ], "references": [ "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "bam.nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://45.159.189.105/bot/regex", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/media/favicon/apple" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1384, "domain": 176, "hostname": 502, "FileHash-SHA256": 1609, "FileHash-MD5": 96, "FileHash-SHA1": 93, "CVE": 1 }, "indicator_count": 3861, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580d2e6c8373c7290d9ad8", "name": "Apple Private Data Collection Data.net\u2192Asp.net", "description": "", "modified": "2023-12-17T12:01:00.032000", "created": "2023-11-18T01:02:38.770000", "tags": [ "url http", "entries", "apple private data collection", "whois record", "contacted", "ssl certificate", "execution", "communicating", "referrer", "historical ssl", "tsara brashears", "collections dns", "rwi dtools", "relic", "monitoring", "vidar", "remcos", "august", "nanocore rat", "malware", "name verdict", "pattern match", "script", "beginstring", "mitre att", "misc attack", "ascii text", "null", "ck id", "show technique", "ck matrix", "date", "unknown", "error", "refresh", "span", "tools", "body", "class", "generator", "critical", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings", "http://114.114.114.114:90/login", "brian sabey", "hallrender", "malvertizing", "dumping", "framing", "fraud services", "trojan", "command_and_control", "silencing", "retaliation", "cyber threat", "confusing", "impersonation", "network rat", "privilege abuse", "hijacker" ], "references": [ "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "bam.nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://45.159.189.105/bot/regex", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/media/favicon/apple" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": "65576cfc8a3c48947d76db0e", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1384, "domain": 176, "hostname": 502, "FileHash-SHA256": 1609, "FileHash-MD5": 96, "FileHash-SHA1": 93, "CVE": 1 }, "indicator_count": 3861, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708feb95f4a8036bc00cdb", "name": "Legacy Infrastructure is being weaponised to harm consumers privacy - NUTS", "description": "", "modified": "2023-12-06T15:14:51.780000", "created": "2023-12-06T15:14:51.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 388, "URL": 450, "hostname": 237, "domain": 68 }, "indicator_count": 1144, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bc43a9e65c77c381e213a3", "name": "Legacy Infrastructure is being weaponised to harm consumers privacy - NUTS", "description": "", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-29T12:20:57.629000", "tags": [ "opaltelecom", "talktalk still hacked", "legacy", "jabber", "spyware masked as ad fraud", "spyware masked as games", "nuts" ], "references": [ "VT graph Json upload", "https://www.virustotal.com/graph/g4110a4cf76164306882fcd5045aeb882cfd873ed2b13467ab1d5dcb8cf94eb1d", "10.100.112.67 and 10.103.2.210 and 172.26.35.7" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 237, "URL": 450, "domain": 68, "FileHash-SHA256": 388, "CVE": 1 }, "indicator_count": 1144, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Traffic 13.107.4.52:80 (TCP)", "rp.downloadastrocdn.com [command_and_control]", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "104.86.182.8 [command_and_control]", "103.224.182.246 [command_and_control]", "https://www.virustotal.com/graph/g4110a4cf76164306882fcd5045aeb882cfd873ed2b13467ab1d5dcb8cf94eb1d", "www.supernetforme.com [command_and_control]", "api.anonfiles.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "86.140.232.148 [scanning_host]", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "checkip.dyndns.org [command_and_control]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "Gowi Live Bot.exe", "checkip.dyndns.org", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "DNS Query for Anonfiles.com Domain", "bam.nr-data.net", "https://tulach.cc/ [phishing attacks]", "checkip.dyndns.com", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "10.100.112.67 and 10.103.2.210 and 172.26.35.7", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "https://www.reddit.com/user/", "VT graph Json upload", "http://45.159.189.105/bot/regex", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "MALWARE_Win_StormKitty", "EaZy Client.exe", "3.163.189.120 [Tracking]", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "tulach.cc [AM | phishing]", "ddos.dnsnb8.net [command_and_control]", "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "qbittorrent.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "103.224.182.253 [command_and_control]", "discord.com", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "gov-bam.nr-data.net", "https://www.anyxxxtube.net/media/favicon/apple" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Witchetty APT Group" ], "malware_families": [ "Trojan", "Relic", "Lokbit", "Nsis", "Static ai - malicious pe", "Blueshell", "Trojan.msil/stealer", "Malware", "Am", "Honeypot", "Matrix", "Agent tesla", "Nanocore rat", "Adware.pcappstore/veryfast", "Remcos", "Tulach malware", "Vidar", "Mac.malware", "Witchetty" ], "industries": [], "unique_indicators": 29469 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/familiemeister.ch", "whois": "http://whois.domaintools.com/familiemeister.ch", "domain": "familiemeister.ch", "hostname": "mails.familiemeister.ch" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6580d422fb57aab8e21c1f39", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password", "description": "Deeply hidden inRallypoint.com. \nWitchetty cyber espionage: Witchetty's activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload.\n\nBlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and \nDalbit APT Group targets vulnerable servers to breach information including internal data from companies or encrypts files may demand money.", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-18T23:22:10.482000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d83bfd115be1f92d75a9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:55.338000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d83e20634ac0d58ceca9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:58.995000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65576cfc8a3c48947d76db0e", "name": "Apple Private Data Collection Data.net\u2192Asp.net", "description": "APDC became apparent to me when it showed up in plain text on a discarded iOS belonging to target. Fraud services puts target in jeopardy, tracking, location hunting, listening, camera , access, photo access, message, threats via digital communication, emails archived, hidden users, social engineering, drive by app chooser, no click attacks.", "modified": "2023-12-17T12:01:00.032000", "created": "2023-11-17T13:39:08.903000", "tags": [ "url http", "entries", "apple private data collection", "whois record", "contacted", "ssl certificate", "execution", "communicating", "referrer", "historical ssl", "tsara brashears", "collections dns", "rwi dtools", "relic", "monitoring", "vidar", "remcos", "august", "nanocore rat", "malware", "name verdict", "pattern match", "script", "beginstring", "mitre att", "misc attack", "ascii text", "null", "ck id", "show technique", "ck matrix", "date", "unknown", "error", "refresh", "span", "tools", "body", "class", "generator", "critical", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings", "http://114.114.114.114:90/login", "brian sabey", "hallrender", "malvertizing", "dumping", "framing", "fraud services", "trojan", "command_and_control", "silencing", "retaliation", "cyber threat", "confusing", "impersonation", "network rat", "privilege abuse", "hijacker" ], "references": [ "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "bam.nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://45.159.189.105/bot/regex", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/media/favicon/apple" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1384, "domain": 176, "hostname": 502, "FileHash-SHA256": 1609, "FileHash-MD5": 96, "FileHash-SHA1": 93, "CVE": 1 }, "indicator_count": 3861, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580d2e6c8373c7290d9ad8", "name": "Apple Private Data Collection Data.net\u2192Asp.net", "description": "", "modified": "2023-12-17T12:01:00.032000", "created": "2023-11-18T01:02:38.770000", "tags": [ "url http", "entries", "apple private data collection", "whois record", "contacted", "ssl certificate", "execution", "communicating", "referrer", "historical ssl", "tsara brashears", "collections dns", "rwi dtools", "relic", "monitoring", "vidar", "remcos", "august", "nanocore rat", "malware", "name verdict", "pattern match", "script", "beginstring", "mitre att", "misc attack", "ascii text", "null", "ck id", "show technique", "ck matrix", "date", "unknown", "error", "refresh", "span", "tools", "body", "class", "generator", "critical", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings", "http://114.114.114.114:90/login", "brian sabey", "hallrender", "malvertizing", "dumping", "framing", "fraud services", "trojan", "command_and_control", "silencing", "retaliation", "cyber threat", "confusing", "impersonation", "network rat", "privilege abuse", "hijacker" ], "references": [ "https://hybrid-analysis.com/sample/da72172e40686435fedc33045fd7e605531edd4b11617b6e605b459f047ce913", "https://hybrid-analysis.com/sample/2cfbf379c005c2c33276d56def17858aeded1996d0c5de0c9d607c88cda8897d", "gov-bam.nr-data.net", "bam.nr-data.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://45.159.189.105/bot/regex", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://www.anyxxxtube.net/media/favicon/apple" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matrix", "display_name": "Matrix", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1608.005", "name": "Link Target", "display_name": "T1608.005 - Link Target" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": "65576cfc8a3c48947d76db0e", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1384, "domain": 176, "hostname": 502, "FileHash-SHA256": 1609, "FileHash-MD5": 96, "FileHash-SHA1": 93, "CVE": 1 }, "indicator_count": 3861, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708feb95f4a8036bc00cdb", "name": "Legacy Infrastructure is being weaponised to harm consumers privacy - NUTS", "description": "", "modified": "2023-12-06T15:14:51.780000", "created": "2023-12-06T15:14:51.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 388, "URL": 450, "hostname": 237, "domain": 68 }, "indicator_count": 1144, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bc43a9e65c77c381e213a3", "name": "Legacy Infrastructure is being weaponised to harm consumers privacy - NUTS", "description": "", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-29T12:20:57.629000", "tags": [ "opaltelecom", "talktalk still hacked", "legacy", "jabber", "spyware masked as ad fraud", "spyware masked as games", "nuts" ], "references": [ "VT graph Json upload", "https://www.virustotal.com/graph/g4110a4cf76164306882fcd5045aeb882cfd873ed2b13467ab1d5dcb8cf94eb1d", "10.100.112.67 and 10.103.2.210 and 172.26.35.7" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 237, "URL": 450, "domain": 68, "FileHash-SHA256": 388, "CVE": 1 }, "indicator_count": 1144, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mails.familiemeister.ch", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mails.familiemeister.ch", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780269612.6561875 }