{ "type": "URL", "indicator": "https://mx4.veic.fr", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mx4.veic.fr", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3164302689, "indicator": "https://mx4.veic.fr", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 32, "pulses": [ { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8f1e5db08cf140cdea23", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-03T19:08:14.934000", "created": "2024-02-03T19:08:14.934000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65b85d301a253bd67048cbba", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "806 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a2e3ebbb1bdfd541af3e91", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-13T19:26:35.621000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "6593c7224a0e8926c28f73d5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85d301a253bd67048cbba", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-30T02:21:36.334000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65a2e3ebbb1bdfd541af3e91", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6593c7224a0e8926c28f73d5", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "Sent to me by D*n*i* M. P*r**h. I can't comprehend. Looks like framing and cyber tracking pf a SA victim by a sheriff best friend of reporting doctor whose wife is Douglas Co coroner. Reporting MD threatened and warned Brashears of what would happen then warned SA PT by relating issues. Targets and associated as severe risk.", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-02T08:19:45.693000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f9011e57040b2717c99c", "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:45.262000", "created": "2023-12-31T05:15:45.262000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "6590f8f3b192d56e80294c13", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6590f8f3b192d56e80294c13", "name": "Aig.com Pegasus attack+ https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa", "description": "", "modified": "2023-12-31T05:15:31.645000", "created": "2023-12-31T05:15:31.645000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653f21878bcd05f7d594ff86", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65610ac149b19048e822118b", "name": "http://errors.dropopenobject.com/mac-error.gif?app=60094&campaign=", "description": "http://errors.dropopenobject.com/mac-error.gif?app=60094&campaign=2929&errtype=updatedownloaderinfo&funcname=updatedownloader::main&ibic=30b1f00119b0edae535883513aec9512&msg=start&os=mac_10_16&rnd=1663869393157734&ver=upd_01-27&verifier=db079154c6b8d1935cf1cf6cda123e25", "modified": "2023-12-24T19:00:45.425000", "created": "2023-11-24T20:42:41.302000", "tags": [ "passive dns", "urls", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "none file", "type textplain", "cyber threat", "united", "team", "covid19", "phishtank", "engineering", "phishing site", "malware site", "malware", "phishing", "malicious", "bank", "zeus", "zbot", "tinba", "stealer", "miner", "ponmocup", "ave maria", "artemis", "nymaim", "emotet", "redline stealer", "qakbot", "asyncrat", "cobalt strike", "suppobox", "ramnit", "ransomware", "matsnu", "kraken", "simda", "citadel", "vawtrak", "tag count", "mon oct", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "netsky", "team malware", "blacklist http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 222, "FileHash-SHA1": 122, "FileHash-SHA256": 2023, "URL": 6912, "domain": 1503, "hostname": 1755, "CVE": 1 }, "indicator_count": 12538, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65610ac30744fcf636cc2a67", "name": "http://errors.dropopenobject.com/mac-error.gif?app=60094&campaign=", "description": "http://errors.dropopenobject.com/mac-error.gif?app=60094&campaign=2929&errtype=updatedownloaderinfo&funcname=updatedownloader::main&ibic=30b1f00119b0edae535883513aec9512&msg=start&os=mac_10_16&rnd=1663869393157734&ver=upd_01-27&verifier=db079154c6b8d1935cf1cf6cda123e25", "modified": "2023-12-24T19:00:45.425000", "created": "2023-11-24T20:42:43.965000", "tags": [ "passive dns", "urls", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "none file", "type textplain", "cyber threat", "united", "team", "covid19", "phishtank", "engineering", "phishing site", "malware site", "malware", "phishing", "malicious", "bank", "zeus", "zbot", "tinba", "stealer", "miner", "ponmocup", "ave maria", "artemis", "nymaim", "emotet", "redline stealer", "qakbot", "asyncrat", "cobalt strike", "suppobox", "ramnit", "ransomware", "matsnu", "kraken", "simda", "citadel", "vawtrak", "tag count", "mon oct", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "netsky", "team malware", "blacklist http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 222, "FileHash-SHA1": 122, "FileHash-SHA256": 2023, "URL": 6912, "domain": 1503, "hostname": 1755, "CVE": 1 }, "indicator_count": 12538, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7c9f6bf793f823e6398", "name": "Qakbot attacks. As strong as before?", "description": "", "modified": "2023-12-06T16:56:41.266000", "created": "2023-12-06T16:56:41.266000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "hostname": 1177, "FileHash-SHA256": 2150, "domain": 620, "URL": 3016, "FileHash-MD5": 519, "FileHash-SHA1": 292 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7b4eb565273001e2e08", "name": "Ireland Netsky | Relay Router | Misc Attack on LTL Fright Outage", "description": "", "modified": "2023-12-06T16:56:20.491000", "created": "2023-12-06T16:56:20.491000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1353, "CVE": 8, "FileHash-SHA256": 3611, "domain": 795, "URL": 2831, "FileHash-MD5": 663, "FileHash-SHA1": 398 }, "indicator_count": 9659, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fa9e514ca975b6db5ca", "name": "NYTIMES.COM", "description": "", "modified": "2023-12-06T14:05:29.348000", "created": "2023-12-06T14:05:29.348000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 936, "hostname": 1927, "URL": 4576, "domain": 989, "email": 2, "FileHash-MD5": 2, "FileHash-SHA1": 4 }, "indicator_count": 8437, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707c9df9c33dd5983b366a", "name": "TrueCar.com", "description": "", "modified": "2023-12-06T13:52:29.953000", "created": "2023-12-06T13:52:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1156, "domain": 4253, "hostname": 4203, "URL": 17071, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f21878bcd05f7d594ff86", "name": " AIG Hacked or Spoofed website?", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T03:22:47.684000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653db044432cdee91e2f5d1c", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f05ff39b2dee54b89d17a", "name": "AIG Hacked or Spoofed website?", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T01:25:19.036000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653db0487ec8c7a4c0b1ef0e", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f02c459cc8bcaa5ebeb7a", "name": "Targeted hacking via malicious DGA insurance domains AIGcom", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-30T01:11:32.672000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "653db32c6a6193714e513695", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db32c6a6193714e513695", "name": "Targeted hacking via malicious DGA insurance domains AIGcom | Host: am1mxi05.aig.com | IP: 167.230.100.44", "description": "Extremely strange & disturbing report. A disruption at root of Cisco hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago\nHard to understand.", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:19:40.692000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db12d71978ca34e49e88e", "name": "Hacking stemming from malicious DGA Insurance domains under Cisco Umbrella", "description": "Extremely strange & disturbing report. A disruption at root of Cisco hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:11:09.672000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570", "defense entity fraud?" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db0487ec8c7a4c0b1ef0e", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:20.916000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653db044432cdee91e2f5d1c", "name": "AIG Hacked or Spoofed website?", "description": "Extremely strange & disturbing report. Disruption under Cisco Umbrella hack may be linked to a matrix of DGA insurance domains. AIG.com. Unclear validity. Spoof Domain, a tool AIG uses? Targets Tsara Brashears. Tulach unlikely a person more likely a profile accessed by entities. Rogue attornoes, etc. Large smear campaign wild cover up including death threats. Reports assert target's been harassed & harmed for years. Is this a cybercrime? Example of malicious tools deployed against innocents.\nMissing STSH\nVerdict: Concerning potential for physical harm to Target or associates\nWhy: Avoid lawsuit and press / reputation \nWho: ?\nIP: 167.230.100.44\nHost: am1mxi05.aig.com\nRegistrar: CSC CORPORATE DOMAINS, INC.\nCreation date: 28 years ago", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-29T01:07:16.410000", "tags": [ "ssl certificate", "threat roundup", "contacted", "execution", "august", "march", "whois record", "contacted urls", "malware", "copy", "april", "crypto", "alive", "malicious", "ducktail", "ransomware", "dead", "skynet", "chinese", "october", "roundup", "february", "goldfinder", "sibot", "hacktool", "metro", "goldmax", "installer", "awful", "open", "android", "banker", "keylogger", "united", "maltiverse", "mail spammer", "phishing site", "cyber threat", "engineering", "emotet", "phishing", "spammer", "firehol", "bank", "azorult", "team", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "installcore", "nymaim", "suppobox", "download", "looquer", "domains", "cisco umbrella", "site", "heur", "alexa top", "million", "safe site", "adware", "malware site", "malicious site", "artemis", "opencandy", "riskware", "tofsee", "gandcrab", "trojanx", "trojan", "generic", "bankerx", "service", "runescape", "facebook", "exploit", "agent", "mimikatz", "unsafe", "alexa", "union", "webtoolbar", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist https", "dsp1", "noname057", "tag count", "sample", "samples", "blacklist", "tsara brashears", "alohatube", "trojan", "scanning_host", "Botnet", "malvertizing", "abuse", "cyber stalking", "defacement", "adult content", "threats", "silencing", "harassment", "target", "aig", "workers compensation", "severe", "attack", "hacking", "yixun tool", "spyware", "malware", "evasion", "malicious", "private investigator", "legal entities", "insurance company", "remote attack", "colorado", "tulach", "Attack origin: United States", "apple", "ios", "victim", "allegations", "assault", "revenge", "retaliation", "libel", "monitoring", "tracking", "pegatech", "bam.nr-data.net", "bam", "nr-data.net", "matrix", "data.net", "asp.net", "apple private data collection", "norad.mil", "norad tracker", "b.scope", "command_and_control", "pornhub", "alohatube", "sweetheart videos", "users voice", "interfacing", "social engineering", "BankerX", "law enforcement aware, complacent or complicit?", "NSA tool Tulach malaware", "metro tmobile", "AS 10975 (NET-AIG) US", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "cus stnew", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "code", "microsoft", "win32 exe", "files", "detections type", "name", "confed", "network", "label netaig", "registry arin", "country us", "continent na", "whois lookup", "no match", "google", "dns replication", "domain", "type name", "pine street", "whois database", "email", "registrar iana", "icann whois", "contact", "form", "tech", "iana id", "tech email", "admin country", "CVE-2017-0147", "CVE-2018-0802", "CVE-2017-17215", "CVE-2016-7255", "CVE-2017-11882", "CVE-2017-8570" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore" ], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Neurovt", "display_name": "Neurovt", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "Yixun", "display_name": "Yixun", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "DUCKTAIL", "display_name": "DUCKTAIL", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Raccoon Stealer", "display_name": "Raccoon Stealer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "FireHOL", "display_name": "FireHOL", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5239, "FileHash-MD5": 929, "FileHash-SHA1": 500, "FileHash-SHA256": 3566, "domain": 1230, "hostname": 2051, "CVE": 6, "email": 5, "CIDR": 1 }, "indicator_count": 13527, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "874 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1a715b26eb6e3ff58875", "name": "Qakbot attacks. As strong as before?", "description": "", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-30T02:52:33.136000", "tags": [ "blacklist https", "rstunf", "tad436770", "united", "anonymizer", "mail spammer", "malicious host", "cyber threat", "heur", "phishing", "malware", "team", "control server", "qakbot", "redline stealer", "malicious", "asyncrat", "cobalt strike", "download", "cisco umbrella", "site", "safe site", "malicious url", "paypal", "team phishing", "detection list", "blacklist", "azorult", "service", "runescape", "facebook", "bank", "alexa", "blacknet rat", "stealer", "noname057", "ip summary", "url summary", "summary", "sample", "samples", "attack", "tsara", "tsara brashears", "boeing", "apple id", "samsung", "telegrafix", "trellian", "dumping", "fiies shared", "browser malware", "cyber criminal", "cyber crime", "brashears", "hybrid", "analysis" ], "references": [], "public": 1, "adversary": "Qakbot", "targeted_countries": [ "United States of America", "Japan", "Argentina" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "651e79f50ce42abe29702324", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3016, "domain": 620, "hostname": 1177, "FileHash-MD5": 519, "FileHash-SHA1": 292, "FileHash-SHA256": 2150, "CVE": 1 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651e79f50ce42abe29702324", "name": "Qakbot attacks. As strong as before?", "description": "command and control\nRedlinestealer\nQakbot\nNoName057\nAzorult\nBlack Rat\nbrowser malware \nBanker\nTheft\nPhishing", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-05T08:55:16.736000", "tags": [ "blacklist https", "rstunf", "tad436770", "united", "anonymizer", "mail spammer", "malicious host", "cyber threat", "heur", "phishing", "malware", "team", "control server", "qakbot", "redline stealer", "malicious", "asyncrat", "cobalt strike", "download", "cisco umbrella", "site", "safe site", "malicious url", "paypal", "team phishing", "detection list", "blacklist", "azorult", "service", "runescape", "facebook", "bank", "alexa", "blacknet rat", "stealer", "noname057", "ip summary", "url summary", "summary", "sample", "samples", "attack", "tsara", "tsara brashears", "boeing", "apple id", "samsung", "telegrafix", "trellian", "dumping", "fiies shared", "browser malware", "cyber criminal", "cyber crime", "brashears", "hybrid", "analysis" ], "references": [], "public": 1, "adversary": "Qakbot", "targeted_countries": [ "United States of America", "Japan", "Argentina" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3016, "domain": 620, "hostname": 1177, "FileHash-MD5": 519, "FileHash-SHA1": 292, "FileHash-SHA256": 2150, "CVE": 1 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1a8f35a050560dcd3b00", "name": "Ireland Netsky | Relay Router | Misc Attack on LTL Fright Outage", "description": "", "modified": "2023-11-03T02:03:00.398000", "created": "2023-10-30T02:53:03.811000", "tags": [ "united", "smtp service", "firehol", "pony", "s1us", "s1de", "spammer", "proxy", "ireland netsky", "anonymizer", "cisco umbrella", "site", "safe site", "million", "alexa top", "alexa", "detection list", "blacklist", "malicious url", "blacklist http", "linkid252669", "noname057", "url summary", "summary", "sample", "samples", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc activity", "et policy", "tor ssl", "Hostname: RecoveryStore-3.7.5.1.4.6.2.0-D917-11E7-B67B-080027A49", "cyber criminal", "FireHOL", "Suricata Alert", "HTML document, ASCII text", "mail spammer", "malware site", "heur", "malware", "adware", "malicious site", "phishing site", "artemis", "unsafe", "exploit", "iframe", "fakealert", "opencandy", "riskware", "genkryptik", "nircmd", "swrort", "downldr", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "coinminer", "dropper", "cobalt strike", "acint", "systweak", "behav", "agent", "phishing", "maltiverse", "trojanspy", "webtoolbar", "phishing", "exploit-source" ], "references": [ "-Hostname: RecoveryStore-3.7.5.1.4.6.2.0-D917-11E7-B67B-080027A49DD/", "https://www.hybrid-analysis.com/sample/fa1f15bd4c0cd287fe04f324d3363a8b5a295b57cb22d9ea0f3d6973eb442d17/651c94c00b17fb9324040f7c" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Ireland Netsky", "display_name": "Ireland Netsky", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Transportation", "Technology" ], "TLP": "white", "cloned_from": "651cd4a6af63714f51c8d721", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 795, "FileHash-MD5": 663, "hostname": 1353, "URL": 2831, "FileHash-SHA1": 398, "FileHash-SHA256": 3611, "CVE": 8 }, "indicator_count": 9659, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651cd4a6af63714f51c8d721", "name": "Ireland Netsky | Relay Router | Misc Attack on LTL Fright Outage", "description": "Cobalt Strike , FireHol anonymization, IT Attack, Suricata Alert, MITRE. Appears to be a complete cyber attack against a well known LTL Fright lines IT system.", "modified": "2023-11-03T02:03:00.398000", "created": "2023-10-04T02:57:42.183000", "tags": [ "united", "smtp service", "firehol", "pony", "s1us", "s1de", "spammer", "proxy", "ireland netsky", "anonymizer", "cisco umbrella", "site", "safe site", "million", "alexa top", "alexa", "detection list", "blacklist", "malicious url", "blacklist http", "linkid252669", "noname057", "url summary", "summary", "sample", "samples", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc activity", "et policy", "tor ssl", "Hostname: RecoveryStore-3.7.5.1.4.6.2.0-D917-11E7-B67B-080027A49", "cyber criminal", "FireHOL", "Suricata Alert", "HTML document, ASCII text", "mail spammer", "malware site", "heur", "malware", "adware", "malicious site", "phishing site", "artemis", "unsafe", "exploit", "iframe", "fakealert", "opencandy", "riskware", "genkryptik", "nircmd", "swrort", "downldr", "crack", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "coinminer", "dropper", "cobalt strike", "acint", "systweak", "behav", "agent", "phishing", "maltiverse", "trojanspy", "webtoolbar", "phishing", "exploit-source" ], "references": [ "-Hostname: RecoveryStore-3.7.5.1.4.6.2.0-D917-11E7-B67B-080027A49DD/", "https://www.hybrid-analysis.com/sample/fa1f15bd4c0cd287fe04f324d3363a8b5a295b57cb22d9ea0f3d6973eb442d17/651c94c00b17fb9324040f7c" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Ireland Netsky", "display_name": "Ireland Netsky", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Transportation", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 795, "FileHash-MD5": 663, "hostname": 1353, "URL": 2831, "FileHash-SHA1": 398, "FileHash-SHA256": 3611, "CVE": 8 }, "indicator_count": 9659, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622a03d5ecc6fa1f4833e6c8", "name": "MesaCounty.us", "description": "", "modified": "2022-04-09T00:00:32.009000", "created": "2022-03-10T13:57:41.749000", "tags": [ "code", "mesa county", "grand junction", "key identifier", "microsoft", "account a", "algorithm", "neustar reserve", "x509v3 subject", "win32 exe", "date", "info", "server", "reserve account", "postal code", "a creation", "umbrella" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1828, "hostname": 568, "domain": 287, "FileHash-SHA256": 288, "FileHash-SHA1": 3, "email": 2, "FileHash-MD5": 1 }, "indicator_count": 2977, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621e371e2a74a1182e30386b", "name": "NYTIMES.COM", "description": "", "modified": "2022-03-31T00:02:44.795000", "created": "2022-03-01T15:09:18.236000", "tags": [ "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "issuer", "cncomodo rsa", "secure server", "ca cgb", "ca limited", "subject public", "key info", "key algorithm", "x509v3 key", "first", "server", "markmonitor", "date", "registrar abuse", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "code", "moves", "microsoft", "qianxin reddrip", "subdomains", "sophos news", "comodo valkyrie", "verdict mobile", "news popularity", "ranks rank", "value ingestion", "umbrella" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4576, "FileHash-SHA256": 936, "hostname": 1927, "domain": 989, "CVE": 1, "email": 2, "FileHash-MD5": 2, "FileHash-SHA1": 4 }, "indicator_count": 8437, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1480 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "61e2733e9e57250b5725ab5a", "name": "TrueCar.com", "description": "", "modified": "2022-02-14T00:00:26.279000", "created": "2022-01-15T07:09:50.416000", "tags": [ "android", "win32 exe", "key identifier", "win32 dll", "x509v3 subject", "server", "date", "registrar abuse", "algorithm", "markmonitor", "format", "impact", "first", "text", "email", "type name", "portable", "adguard premium", "usus", "mozilla firefox", "technology", "microsoft", "security", "subdomains", "threatseeker", "sophos", "comodo valkyrie", "verdict mobile", "rank value", "ingestion time", "statvoo", "cisco umbrella", "dns records", "record type", "ttl value", "msms94514764", "data", "v3 serial", "number", "issuer", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "domain status", "contact phone", "registrar", "ca creation", "dnssec", "domain name", "us registrant", "links https", "path", "submission", "httponly", "expiressat", "samesitelax", "details links", "vehicles comodo", "history first", "analysis" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17071, "hostname": 4203, "FileHash-SHA256": 1156, "domain": 4253, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 412, "modified_text": "1525 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "message.htm.com", "apple-identifiant.info", "nr-data.net", "joebiden.com", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "familyhandyman.com", "-Hostname: RecoveryStore-3.7.5.1.4.6.2.0-D917-11E7-B67B-080027A49DD/", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "0-i-0.xyz", "deadlineday.twitter.com", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://www.hybrid-analysis.com/sample/fa1f15bd4c0cd287fe04f324d3363a8b5a295b57cb22d9ea0f3d6973eb442d17/651c94c00b17fb9324040f7c", "https://www.anyxxxtube.net/media/favicon/apple", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "https://twitter.com/sheriffspurlock?lang=en", "0-courier.push.apple.com", "cs001.informativeremail-apple.zoom.com.cn", "http://watchhers.net/index.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "69.197.153.180" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Qakbot" ], "malware_families": [ "Content reputation", "Tofsee", "Opencandy", "Trojanspy", "Trojan:win32/installcore", "Chinese", "Cobalt strike", "Ireland netsky", "Skynet", "Maltiverse", "Artemis", "Nanocore", "Blacknet", "Cobalt strike - s0154", "Azorult", "Hiddentear", "Mimikatz", "Inmortal", "Yixun", "Goldmax - s0588", "Ransomware", "Hacktool.cheatengine", "Raccoon stealer", "Immortal stealer", "Gandcrab", "Webtoolbar", "Qbot", "Hacktool.bruteforce", "Mirai", "Trojan:win32/tiggre", "Hacktool", "Looquer", "Domains", "Emotet", "Ransomexx", "Firehol", "Goldfinder", "Trojanx", "Neurovt", "Ducktail", "Comspec", "Sibot", "Quackbot", "Et", "Nymaim", "Tinynote" ], "industries": [ "Transportation", "Technology", "Media", "Government" ], "unique_indicators": 151209 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/veic.fr", "whois": "http://whois.domaintools.com/veic.fr", "domain": "veic.fr", "hostname": "mx4.veic.fr" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 32, "pulses": [ { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597f9c7542ffc6fffaecb30", "name": "Injection (RunPE) |Win.Packer - https://myminiweb.com", "description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:44:55.030000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4d4b5e060fb8a606a8", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.403000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6597fa4da16bd99cc5c02528", "name": "Botnet Campaign", "description": "", "modified": "2024-02-04T12:05:19.275000", "created": "2024-01-05T12:47:09.406000", "tags": [ "ciphersuite", "delete c", "search", "entries", "united", "stcalifornia", "lmenlo park", "ometa platforms", "odigicert inc", "cndigicert sha2", "copy", "write", "unknown", "no expiration", "expiration", "filehashsha256", "hostname", "domain", "ipv4", "url http", "url https", "filehashmd5", "filehashsha1", "next", "iocs", "pdf report", "pcap", "scan endpoints", "win64", "stix", "openioc", "enter", "ssl certificate", "whois record", "apple ios", "communicating", "referrer", "contacted", "resolutions", "threat roundup", "password", "networks", "hacktool", "crypto", "twitter", "june", "probe", "ransomware", "malware", "tsara brashears", "botnet campaign", "january", "content reputation", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6597f9c7542ffc6fffaecb30", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2469, "FileHash-SHA1": 2295, "FileHash-SHA256": 4925, "SSLCertFingerprint": 2, "URL": 4484, "domain": 2044, "hostname": 2375, "email": 18, "CVE": 4 }, "indicator_count": 18616, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8f1e5db08cf140cdea23", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-03T19:08:14.934000", "created": "2024-02-03T19:08:14.934000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65b85d301a253bd67048cbba", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "806 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a2e3ebbb1bdfd541af3e91", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-13T19:26:35.621000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "6593c7224a0e8926c28f73d5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85d301a253bd67048cbba", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-30T02:21:36.334000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65a2e3ebbb1bdfd541af3e91", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6593c7224a0e8926c28f73d5", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "Sent to me by D*n*i* M. P*r**h. I can't comprehend. Looks like framing and cyber tracking pf a SA victim by a sheriff best friend of reporting doctor whose wife is Douglas Co coroner. Reporting MD threatened and warned Brashears of what would happen then warned SA PT by relating issues. Targets and associated as severe risk.", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-02T08:19:45.693000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mx4.veic.fr", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mx4.veic.fr", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642240.1331966 }