{ "type": "URL", "indicator": "https://masscat.afraid.org/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://masscat.afraid.org/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4141434142, "indicator": "https://masscat.afraid.org/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7582b2454d926e77db68c", "name": "AWS does have issues - Indictor removal service impacting threat hunting services", "description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.", "modified": "2025-11-20T06:00:01.014000", "created": "2025-10-21T09:53:47.767000", "tags": [ "url http", "url https", "united", "sweden", "canada", "search", "type indicator", "added active", "related pulses", "aws", "passive dns", "urls", "files domain", "files related", "related tags", "none google", "safe browsing", "present jun", "present sep", "present aug", "present jul", "present oct", "present may", "ip address", "uruguay unknown", "india showing", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "unknown", "write", "read", "unknown www", "et trojan", "suspicious", "read c", "myagrent", "get myagrent", "win32", "malware", "ids detections", "et", "dynamicloader", "medium", "write c", "high", "pcratgh0st cnc", "backdoor family", "show", "ms windows", "trojandropper", "code", "next", "polymorphic", "indicator role", "title added", "active related", "report spam", "threat hunters", "brian", "sabey created", "day ago", "white indicator", "sabey", "worm", "emotet", "tags", "malware family", "ck ids", "t1140", "information", "t1045", "packing", "t1060", "dns", "role title", "filehashmd5", "malware attacks", "find encrypted", "pulses url", "q oct", "dns", "ators show", "tbmvid", "sourcelnms", "ipv4", "types", "indicators show" ], "references": [ "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Contacted ipp.getcash2018.com conf.f.360.cn", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "TrojanDropper:Win32/Zegost.B", "display_name": "TrojanDropper:Win32/Zegost.B", "target": "/malware/TrojanDropper:Win32/Zegost.B" }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "Trojan:Win32/Fugrafa", "display_name": "Trojan:Win32/Fugrafa", "target": "/malware/Trojan:Win32/Fugrafa" }, { "id": "Win32:MalwareX-gen", "display_name": "Win32:MalwareX-gen", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1224, "URL": 2979, "domain": 609, "FileHash-SHA256": 765, "FileHash-SHA1": 350, "FileHash-MD5": 374, "CVE": 1, "email": 1 }, "indicator_count": 6303, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "consolefoundry.date \u2022 http://consolefoundry.date", "target.dropboxbusiness.com", "gitea.neconsside.com \u2022 http://f7194.vip/login", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Contacted ipp.getcash2018.com conf.f.360.cn", "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "2012647\tDropbox.com Offsite File Backup in Use", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "aohhpesayw.lawsonengineers.co.", "https://api.strem.io/api/addonCollectionGet%", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/pariham.a", "Neshta", "Worm:win32/autorun.xxy!bit", "Nids", "Trojandropper:win32/zegost.b", "Trojan:win32/fugrafa", "Worm:win32/autorun.b", "Backdoor:win32/fynloski.a", "Kentuchy", "Malwarex-gen", "Other malware", "Win32:malwarex-gen", "Zegost", "Et" ], "industries": [], "unique_indicators": 19460 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/afraid.org", "whois": "http://whois.domaintools.com/afraid.org", "domain": "afraid.org", "hostname": "masscat.afraid.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f7582b2454d926e77db68c", "name": "AWS does have issues - Indictor removal service impacting threat hunting services", "description": "Malicious. I hope the pulse posted yesterday didn\u2019t lead to AWS outage. I learned about it a few a few hours ago. AWS does have issues, like having a monopoly and the type of services allowed to exist on their servers. I never saw the links until I learned. I appreciate tips , opinions , and sharing.received. An issue found on targets old iOS 14 device ,due to deletions . This had me researching a link that is related to multiple links researched before. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship). There are many other malicious indicators.", "modified": "2025-11-20T06:00:01.014000", "created": "2025-10-21T09:53:47.767000", "tags": [ "url http", "url https", "united", "sweden", "canada", "search", "type indicator", "added active", "related pulses", "aws", "passive dns", "urls", "files domain", "files related", "related tags", "none google", "safe browsing", "present jun", "present sep", "present aug", "present jul", "present oct", "present may", "ip address", "uruguay unknown", "india showing", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "unknown", "write", "read", "unknown www", "et trojan", "suspicious", "read c", "myagrent", "get myagrent", "win32", "malware", "ids detections", "et", "dynamicloader", "medium", "write c", "high", "pcratgh0st cnc", "backdoor family", "show", "ms windows", "trojandropper", "code", "next", "polymorphic", "indicator role", "title added", "active related", "report spam", "threat hunters", "brian", "sabey created", "day ago", "white indicator", "sabey", "worm", "emotet", "tags", "malware family", "ck ids", "t1140", "information", "t1045", "packing", "t1060", "dns", "role title", "filehashmd5", "malware attacks", "find encrypted", "pulses url", "q oct", "dns", "ators show", "tbmvid", "sourcelnms", "ipv4", "types", "indicators show" ], "references": [ "business-support.intel.com \u2022 dns0.org \u2022 http://g-ns-1047.awsdns-20.org/", "Alerts: physical_drive_access deletes_executed_files anomalous_deletefile", "Alerts: suspicious_iocontrol_codes polymorphic static_pe_anomaly suricata_alert", "Alerts: injection_rwx antivm_checks_available_memory queries_computer_name", "Alerts: resumethread_remote_process antivm_generic_disk antisandbox_sleep dynamic_function_loading", "Alerts: enumerates_running_processes reads_self packer_unknown_pe_section_name contains_pe_overlay dropper queries_keyboard_layout", "102 Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "More PE Packer Microsoft Visual C++ Compilation | File Type PEXE - PE32 executable (GUI) Intel 80386, for MS Windows", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "Contacted ipp.getcash2018.com conf.f.360.cn", "All IP\u2019s Contacted 27.102.115.143 199.232.210.172 Domains", "IDS Detections: Backdoor family PCRat/Gh0st CnC traffic Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)", "New? patch-aws-8y03-v202542-266-2.space.prod.a0core.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "TrojanDropper:Win32/Zegost.B", "display_name": "TrojanDropper:Win32/Zegost.B", "target": "/malware/TrojanDropper:Win32/Zegost.B" }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "Trojan:Win32/Fugrafa", "display_name": "Trojan:Win32/Fugrafa", "target": "/malware/Trojan:Win32/Fugrafa" }, { "id": "Win32:MalwareX-gen", "display_name": "Win32:MalwareX-gen", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1224, "URL": 2979, "domain": 609, "FileHash-SHA256": 765, "FileHash-SHA1": 350, "FileHash-MD5": 374, "CVE": 1, "email": 1 }, "indicator_count": 6303, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cfa9b74d6faa43eb6585", "name": "Indicator Removal service affecting Threat Hunters | Brian Sabey", "description": "Indicator removal used by M. Brian Sabey to for the purpose of attacking networks and removing malicious indicators related to entities and attacks deployed by & Co. Impacts: Threat hunting services. * Worm:Win32/AutoRun.XXY!bit (Emotet and Neshta relationship).\nThere are many other malicious indicators.\n\n* foundryvttcasero.roleros.cl", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-20T05:59:04.173000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f80aa152fdd795fa008e2e", "name": "Small & Comisproc Indicator Removal service Affects Threat Hunter Sevices", "description": "", "modified": "2025-11-19T05:02:39.961000", "created": "2025-10-21T22:35:13.128000", "tags": [ "url https", "url http", "hostname", "b9sdwan", "b9 no", "united", "passive dns", "ipv4 add", "urls", "location united", "america flag", "san jose", "trojan", "canada unknown", "hostname add", "url analysis", "http", "ip address", "related nids", "path", "america asn", "as4983 intel", "canada", "gmt p3p", "cp noi", "adm dev", "psai com", "unknown ns", "united states", "twitter", "url add", "files location", "flag united", "status", "emails", "servers", "mtb aug", "win32", "invalid url", "lowfi", "body html", "head title", "files", "files ip", "filehashmd5", "iocs", "type indicator", "role title", "related pulses", "dynamicloader", "directui", "write c", "element", "classinfobase", "forbidden", "write", "high", "worm", "delphi", "guard", "error", "vmprotect", "malware", "defender", "suspicious", "port", "read c", "destination", "crlf line", "rgba", "unicode", "png image", "td td", "td tr", "a td", "dynamic dns", "search", "arial", "trojandropper", "null", "enough", "hosts", "fast", "afraid", "a domains", "welcome", "ok server", "gmt content", "present sep", "unknown soa", "unknown cname", "present oct", "present aug", "event rocket", "title", "cookie", "encrypt", "sabey type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "68f5cfa9b74d6faa43eb6585", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1434, "URL": 3982, "FileHash-MD5": 391, "FileHash-SHA1": 309, "FileHash-SHA256": 1525, "domain": 758, "email": 10, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 8413, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://masscat.afraid.org/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://masscat.afraid.org/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776615496.0004182 }