{ "type": "URL", "indicator": "https://microsoft-ppe.com/api/log", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://microsoft-ppe.com/api/log", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3856691223, "indicator": "https://microsoft-ppe.com/api/log", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 186944, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: kramtechnology.com", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "Ransom: message.htm.com", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Botnet Server IP: 141.226.230.48", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "https://api.wavebrowserbase.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "Self whitelisting tool, domains moved within nginx.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "Ryuk: http://kramtechnology.com/", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "0-w5-cms.ultimate-guitar.com", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "newrelic.se", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Out For Blood" ], "malware_families": [ "Cl0p", "Trojanspy", "Generic", "Quasar", "Zbot", "Maltiverse", "Bulz", "Blacknet", "Fragtor" ], "industries": [ "Healthcare", "Private sector", "Civil society" ], "unique_indicators": 51971 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/microsoft-ppe.com", "whois": "http://whois.domaintools.com/microsoft-ppe.com", "domain": "microsoft-ppe.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 186944, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://microsoft-ppe.com/api/log", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://microsoft-ppe.com/api/log", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630072.9812946 }