{ "type": "URL", "indicator": "https://maps.marksypark.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://maps.marksypark.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3785878034, "indicator": "https://maps.marksypark.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "65bc0cf9b0dac1aa7f9046cf", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:25.092000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cfda433eb05bde3827b", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:29.606000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d2518a7ef9bb17df1b9", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:09.832000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d302007152543202bac", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:20.375000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659c88827d014b8ac6738dae", "name": "STRIVEN.COM | Remote videos to my device | Disabled WiFi or Bluetooth | Malicious ", "description": "", "modified": "2024-02-07T23:03:25.817000", "created": "2024-01-08T23:42:58.409000", "tags": [ "as21690", "united", "unknown", "search", "entries", "creation date", "scan endpoints", "all search", "otx octoseek", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d65255c80d866add600bac", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1448, "hostname": 3973, "email": 2, "URL": 10456, "FileHash-SHA256": 3308, "FileHash-MD5": 354, "FileHash-SHA1": 350, "CVE": 2 }, "indicator_count": 19893, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "859 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "859 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65618963e4e45d0c53f8e770", "name": "ww1.imobitracking.net", "description": "critical, cronup threat, cyber threat, data, serious, tracking, emails collection, relay router , emotet, exploit, content reputation.\n\nSerious tracking efforts, malicious.", "modified": "2023-12-25T03:01:27.395000", "created": "2023-11-25T05:42:59.043000", "tags": [ "creation date", "search", "passive dns", "urls", "address", "record value", "emails", "date", "showing", "body", "unknown", "cowboy", "encrypt", "resolver ip", "whois lookups", "server", "iana id", "registrar abuse", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "first", "dns replication", "algorithm", "key usage", "google", "record type", "ttl value", "cname", "data", "v3 serial", "contacted", "ssl certificate", "threat roundup", "march", "august", "referrer", "whois record", "communicating", "june", "april", "copy", "february", "cobalt strike", "remcos", "emotet", "core", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware site", "phishing site", "malicious site", "malware", "internet storm", "united", "cyber threat", "heur", "malicious url", "mail spammer", "suppobox", "bambernek", "cronup threat", "team", "facebook", "malicious", "phishing", "download", "virut", "unruy", "bandoo", "matsnu", "tofsee", "simda", "vawtrak", "hotmail", "qakbot", "asyncrat", "tsara brashears", "no data", "count blacklist", "tag tag", "pattern match", "ascii text", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "appdata", "path", "hybrid", "general", "local", "click", "strings", "class", "generator", "critical", "error", "tor known", "tor relayrouter", "node tcp", "traffic", "host", "cins active", "poor reputation", "spammer", "barracuda et", "artemis", "iframe", "cleaner", "unsafe", "riskware", "agent", "wacatac", "bank", "opencandy", "nircmd", "swrort", "downldr", "crack", "presenoker", "filetour", "conduit", "xtrat", "azorult", "service", "runescape", "acint", "systweak", "behav", "tiggre", "genkryptik", "exploit", "xrat", "installcore", "patcher", "adload", "win64", "softcnapp", "union", "ponmocup", "fusioncore", "trojanspy", "webtoolbar", "maltiverse", "114.114.114.114", "tulach", "tracking", "apple", "illegal", "target", "c2", "cnc", "scanning_host", "CVE-2011-0611", "CVE-2017-0147", "CVE-2014-3153", "CVE-2016-0189", "CVE-2017-0199", "CVE-2017-8570", "CVE-2017-11882", "CVE-2018-4893", "CVE-2018-8174", "CVE-2020-0601", "CVE-2023-22518" ], "references": [ "ww1.imobitracking.net", "https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff", "114.114.114.114", "signin-appleid.jackpotiot.com", "https://www.anyxxxtube.net/media/favicon/apple", "http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://httpdev.findatoyota.com", "https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0", "t.prototype.hasownproperty.call", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Bandoo", "display_name": "Bandoo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1569, "FileHash-MD5": 489, "URL": 7420, "domain": 917, "FileHash-SHA1": 247, "email": 3, "FileHash-SHA256": 2578, "CVE": 11 }, "indicator_count": 13234, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "https://www.anyxxxtube.net/media/favicon/apple", "angebot.staude.de", "Trojan:Win32/WannaCry.350", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "signin-appleid.jackpotiot.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "ww1.imobitracking.net", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/", "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "https://httpdev.findatoyota.com", "http://dev.findatoyota.com/", "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "c1a99e3bde9bad27e463c32b96311312.virus", "CS IDS rule: (port_scan) TCP filtered portsweep", "https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff", "https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "deviceinbox.com", "114.114.114.114", "http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1", "http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "cellebrite.com | enterprise.cellebrite.com", "t.prototype.hasownproperty.call", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group - Pegasus" ], "malware_families": [ "Xrat", "Remcos", "Bandoo", "Private internet access", "Inmortal", "Webtoolbar", "Suppobox", "Opencandy", "Citadel", "Tulach malware", "Virut", "Trojan:win32/wannacry.350", "Trojanspy", "Vawtrak", "Spyeye", "Milesmx", "Tofsee", "Tiggre", "Trojandropper:win32/ponmocup", "Domains" ], "industries": [], "unique_indicators": 69661 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/marksypark.com", "whois": "http://whois.domaintools.com/marksypark.com", "domain": "marksypark.com", "hostname": "maps.marksypark.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "65bc0cf9b0dac1aa7f9046cf", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:25.092000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cfda433eb05bde3827b", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:29.606000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d2518a7ef9bb17df1b9", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:09.832000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d302007152543202bac", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:20.375000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "822 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659c88827d014b8ac6738dae", "name": "STRIVEN.COM | Remote videos to my device | Disabled WiFi or Bluetooth | Malicious ", "description": "", "modified": "2024-02-07T23:03:25.817000", "created": "2024-01-08T23:42:58.409000", "tags": [ "as21690", "united", "unknown", "search", "entries", "creation date", "scan endpoints", "all search", "otx octoseek", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d65255c80d866add600bac", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1448, "hostname": 3973, "email": 2, "URL": 10456, "FileHash-SHA256": 3308, "FileHash-MD5": 354, "FileHash-SHA1": 350, "CVE": 2 }, "indicator_count": 19893, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "859 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "859 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65618963e4e45d0c53f8e770", "name": "ww1.imobitracking.net", "description": "critical, cronup threat, cyber threat, data, serious, tracking, emails collection, relay router , emotet, exploit, content reputation.\n\nSerious tracking efforts, malicious.", "modified": "2023-12-25T03:01:27.395000", "created": "2023-11-25T05:42:59.043000", "tags": [ "creation date", "search", "passive dns", "urls", "address", "record value", "emails", "date", "showing", "body", "unknown", "cowboy", "encrypt", "resolver ip", "whois lookups", "server", "iana id", "registrar abuse", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "first", "dns replication", "algorithm", "key usage", "google", "record type", "ttl value", "cname", "data", "v3 serial", "contacted", "ssl certificate", "threat roundup", "march", "august", "referrer", "whois record", "communicating", "june", "april", "copy", "february", "cobalt strike", "remcos", "emotet", "core", "noname057", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware site", "phishing site", "malicious site", "malware", "internet storm", "united", "cyber threat", "heur", "malicious url", "mail spammer", "suppobox", "bambernek", "cronup threat", "team", "facebook", "malicious", "phishing", "download", "virut", "unruy", "bandoo", "matsnu", "tofsee", "simda", "vawtrak", "hotmail", "qakbot", "asyncrat", "tsara brashears", "no data", "count blacklist", "tag tag", "pattern match", "ascii text", "file", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "appdata", "path", "hybrid", "general", "local", "click", "strings", "class", "generator", "critical", "error", "tor known", "tor relayrouter", "node tcp", "traffic", "host", "cins active", "poor reputation", "spammer", "barracuda et", "artemis", "iframe", "cleaner", "unsafe", "riskware", "agent", "wacatac", "bank", "opencandy", "nircmd", "swrort", "downldr", "crack", "presenoker", "filetour", "conduit", "xtrat", "azorult", "service", "runescape", "acint", "systweak", "behav", "tiggre", "genkryptik", "exploit", "xrat", "installcore", "patcher", "adload", "win64", "softcnapp", "union", "ponmocup", "fusioncore", "trojanspy", "webtoolbar", "maltiverse", "114.114.114.114", "tulach", "tracking", "apple", "illegal", "target", "c2", "cnc", "scanning_host", "CVE-2011-0611", "CVE-2017-0147", "CVE-2014-3153", "CVE-2016-0189", "CVE-2017-0199", "CVE-2017-8570", "CVE-2017-11882", "CVE-2018-4893", "CVE-2018-8174", "CVE-2020-0601", "CVE-2023-22518" ], "references": [ "ww1.imobitracking.net", "https://www.hybrid-analysis.com/sample/dcf9f5e78d4645b38540d25c4d8ca7fe3e019671caadf7cade4cc01008282bff", "114.114.114.114", "signin-appleid.jackpotiot.com", "https://www.anyxxxtube.net/media/favicon/apple", "http://manage.apple.com.webobjectsd5dbc98dcc983a7028bd82d1a47540.dsiblings.com/Info/information.html", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://httpdev.findatoyota.com", "https://secure.medicalexpo.com/request-management-ws/views/contact-details.xhtml?token=A3QIgyaKRur%2BIjZfA4R8MkKBwXLdgMI5Gg%2F0dwmuMj0", "t.prototype.hasownproperty.call", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "http://trkr.similarphotocleaner.com/trackerwcfsrv/tracker.svc/trackoffersview/?q=pxl=mco2191_mco2146_mco1132&utm_source=mcosfl&utm_medium=mcosfl&utm_campaign=mcosfl&x-count=1&x-context=osversion-5.1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Bandoo", "display_name": "Bandoo", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1569, "FileHash-MD5": 489, "URL": 7420, "domain": 917, "FileHash-SHA1": 247, "email": 3, "FileHash-SHA256": 2578, "CVE": 11 }, "indicator_count": 13234, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://maps.marksypark.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://maps.marksypark.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780492126.509976 }