{ "type": "URL", "indicator": "https://meltybeatz.infinity.airbit.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://meltybeatz.infinity.airbit.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3771293405, "indicator": "https://meltybeatz.infinity.airbit.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6529c91a4f8f0c898f48088c", "name": "quick look at vk.com", "description": "", "modified": "2025-06-26T22:23:19.431000", "created": "2023-10-13T22:47:54.295000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 1981, "domain": 506, "hostname": 1258, "URL": 3080 }, "indicator_count": 6861, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "735 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 187156, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "735 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655907b4d8c905f4475d8bcc", "name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3", "description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T16:03:26.037000", "created": "2023-11-18T18:51:32.856000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8650, "hostname": 3073, "domain": 2708, "FileHash-MD5": 118, "FileHash-SHA256": 3552, "FileHash-SHA1": 104 }, "indicator_count": 18205, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655907b9da2479892590b77a", "name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3", "description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T16:03:26.037000", "created": "2023-11-18T18:51:37.411000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8650, "hostname": 3073, "domain": 2708, "FileHash-MD5": 118, "FileHash-SHA256": 3552, "FileHash-SHA1": 104 }, "indicator_count": 18205, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8ec0568abca6f44e16f", "name": "quick look at vk.com", "description": "", "modified": "2023-12-06T17:01:32.275000", "created": "2023-12-06T17:01:32.275000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1981, "domain": 506, "hostname": 1262, "URL": 3080, "FileHash-MD5": 18, "FileHash-SHA1": 18 }, "indicator_count": 6865, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "https://goo.gl/9p2vKq", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "Ryuk: kramtechnology.com", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "https://api.wavebrowserbase.com", "Botnet Server IP: 141.226.230.48", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "nr-data.net [Apple Private Data Collection]", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "dev-app.project-cicada.com \u2022 project-cicada.com", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "api.acumatica.flex.redteam.com", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "Ryuk: http://kramtechnology.com/", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "IDS Detections Gh0stCringe CnC Activity M2", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "newrelic.se", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "Ransom: message.htm.com", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "CICADA Contextual Inference & Comprehensive Analysis Data Agent" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)" ], "malware_families": [ "Virtool:win32/obfuscator.k", "Virus:win32/sality.at", "Alf:heraklezeval:trojanspy:win32/socstealer", "Ransom:win32/crowti.a", "Win32:malob-bx", "Gc", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojandownloader:win32/cutwail.bs", "Win.trojan.agent", "Trojan.crifi.1", "Backdoor:win32/likseput.b", "Doc.downloader.emotetred02220-9938909-0", "Trojandownloader:win32/upatre.aa", "Win.trojan.gh0strat-9955419-1", "Trojan:win32/scrarev.c", "Trojanspy", "Cymt", "Win32:rmndrp [inf]", "Trojandownloader:win32/nemucod", "Pws:win32/qqpass.b!mtb", "Trojandownloader:win32/upatre", "Win.downloader.small-1645", "Worm:win32/benjamin", "Maltiverse", "Wat:blacked-e", "Ai:fileinfector.eaeea7850c", "Trojan:win32/zombie.a", "Cl0p", "Trojandropper:win32/vb.il", "Generic", "Trojan.msil.injurer.cbd", "Et", "Virus.ramnit/nimnul", "Trojan:win32/speesipro.a" ], "industries": [ "Civil society", "Media", "Technology", "Crime victims" ], "unique_indicators": 88412 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/airbit.com", "whois": "http://whois.domaintools.com/airbit.com", "domain": "airbit.com", "hostname": "meltybeatz.infinity.airbit.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6529c91a4f8f0c898f48088c", "name": "quick look at vk.com", "description": "", "modified": "2025-06-26T22:23:19.431000", "created": "2023-10-13T22:47:54.295000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 1981, "domain": 506, "hostname": 1258, "URL": 3080 }, "indicator_count": 6861, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "735 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 187156, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "735 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655907b4d8c905f4475d8bcc", "name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3", "description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T16:03:26.037000", "created": "2023-11-18T18:51:32.856000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8650, "hostname": 3073, "domain": 2708, "FileHash-MD5": 118, "FileHash-SHA256": 3552, "FileHash-SHA1": 104 }, "indicator_count": 18205, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655907b9da2479892590b77a", "name": "Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3", "description": "Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. \nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T16:03:26.037000", "created": "2023-11-18T18:51:37.411000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8650, "hostname": 3073, "domain": 2708, "FileHash-MD5": 118, "FileHash-SHA256": 3552, "FileHash-SHA1": 104 }, "indicator_count": 18205, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8ec0568abca6f44e16f", "name": "quick look at vk.com", "description": "", "modified": "2023-12-06T17:01:32.275000", "created": "2023-12-06T17:01:32.275000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1981, "domain": 506, "hostname": 1262, "URL": 3080, "FileHash-MD5": 18, "FileHash-SHA1": 18 }, "indicator_count": 6865, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://meltybeatz.infinity.airbit.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://meltybeatz.infinity.airbit.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776696778.8365977 }