{ "type": "URL", "indicator": "https://mysmartlogon.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mysmartlogon.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3904760205, "indicator": "https://mysmartlogon.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "686dc31588057c828d99de65", "name": "Darpapox CNC Beacon \u2022 Tethered to T-Mobile iOS", "description": "In November 2021 T-mobile.com/tethering/upsell.do\ttethered to a heavily targeted crime victim\u2019s phone. It\u2019s seemed to trigger an outage in Early November 2021. (IoC\u2019s left out of graph and Pulse) related to Palantir / Foundry/ Twitter \nI can anssume they are being spoofed, unfortunately, this harmful, powerfully dangerous \u2019tool\u2019 is a real a weapon that can and has lead to great harm or death ; is a product for sale.\n\nVictim was assaulted by PT under quasi government care. She has been injured, stalked, nearly assassinated, confronted, recorded, spied on denied healthcare, legal representation & relentlessly bullied online and otherwise to death.\nNOT EVERYONE SHOULD HAVE THIS TOOL. IT IS A WEAPON!", "modified": "2025-08-08T00:05:09.846000", "created": "2025-07-09T01:17:09.803000", "tags": [ "united", "status", "name servers", "search", "servers", "ip address", "creation date", "telekom ag", "present aug", "present dec", "date", "date checked", "url hostname", "server response", "google safe", "results jan", "next related", "domains show", "domain related", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "update", "whois field", "value address", "city bonn", "country de", "dnssec", "domain name", "name", "expiration date", "domain", "passive dns", "urls", "files ip", "address domain", "ip whois", "registrar", "entries", "next associated", "urls show", "results apr", "showing", "present nov", "results dec", "present jan", "results feb", "present mar", "results may", "results mar", "results aug", "present may", "present jun", "results jun", "t-mobile", "log4", "whois show", "record value", "name domain", "admin name", "org deutsche", "whois", "related", "comments", "status hostname", "query type", "address first", "seen last", "seen asn", "country", "emails", "services", "org principal", "financial", "high st", "ag organization", "server", "flag", "contacted hosts", "process details", "found cache", "control", "pragma", "present oct", "present feb", "moved", "name legal", "referral url", "wa status", "updated date", "whois server", "zipcode", "present apr", "content type", "gmt p3p", "noi nid", "cura adma", "deva psaa", "psda our", "sama bus", "pur com", "hostname add", "pulse pulses", "files", "domain add", "show", "copy", "reads", "total", "read", "write", "delete", "kawaii unicorn", "tethering", "iphone", "ios", "apple", "gmt content", "type", "dynamicloader", "yara rule", "medium", "high", "vmware", "msie", "windows nt", "wow64", "slcc2", "media center", "malware", "unknown", "ta0002 defense", "evasion ta0005", "ta0009", "lowfi", "ipv4 add", "location united", "america flag", "ransom", "trojandropper", "yara detections", "lehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "medium risk", "none related", "defender", "pulses none", "cnc beacon", "winver", "search host", "all ipv4", "hosting", "trojan", "tlsv1", "odigicert inc", "cndigicert sha2", "secure server", "stwashington", "lseattle", "as16509", "stcalifornia", "next", "execution", "dock", "persistence", "encrypt", "project", "process32nextw", "service", "t1003", "hacktool", "pe32", "win64", "cowboy server", "jakuz", "mimikatz", "darpapox", "default", "codeoverlap", "date hash", "deletes_executed_files", "ue codeoverlap", "pe section", "ipv4", "arkei stealer", "hash apr", "ma ma", "win32spigot may", "ub euj", "e ep", "ub uj", "program", "python", "write c", "intel", "ms windows", "updater", "launcher", "powershell", "langchinese", "ip check", "http host", "icmp traffic", "win32", "download", "handle", "address range", "cidr", "network name", "allocation type", "entity bns34", "ip addresses", "tsara brashears" ], "references": [ "https://offers.Tethered to target iPhone - T-mobile.com/tethering/upsell.do", "Kawaii-Unicorn.exe", "IDS Detections: Win32/Unruy Rogue Search Host Observed | Yara Detections: EnigmaProtector", "High Priority Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "High Priority Alerts: suricata_alert antivm_bochs_keys physical_drive_access", "Priority Alerts: physical_drive_access dynamic_function_loading resumethread_remote_process", "Priority Alerts: enumerates_running_processes reads_self network_http", "Priority Alerts: packer_entropy antidebug_ntsetinformationthread injection_rwx", "Priority Alerts: createtoolhelp32snapshot_module_enumeration packer_unknown_pe_section_name", "High Priority Alerts IDS: Backdoor.Darpapox/Jaku \u2022 CNAME CnC Beacon (WinVer 6.1)", "High Priority Alerts IDS: ADWARE/InstallCore.Gen Checkin \u2022 Adware.InstallCore.B Checkin", "High Priority Alerts IDS: Arkei Stealer \u2022 Config Download Request Vidar/Arkei Stealer Client Data Upload \u2022 192.157.56.140", "High Priority Alerts IDS: Potentially Unwanted Application AirInstaller CnC Beacon Backdoor.Win32.Hupigon.dpgy Checkin", "High Priority Alerts IDS: Possible Win32/Hupigon ip.txt with a Non-Mozilla UA \u2022 192.157.56.140", "High Priority Alerts IDS: Suspicious Zipped Filename in Outbound POST Request (Passwords.log) M2 \u2022 192.157.56.140", "High Priority Alerts IDS: Win32/Spigot Activity Potentially Unwanted Application AirInstaller \u2022 192.157.56.140", "High Priority Alerts IDS: \u2022 199.59.243.228", "High Priority Alerts IDS: Win32.Renos/Artro Trojan Checkin M1 Garveep POST CnC Beacon \u2022 199.59.243.228", "High Priority Alerts IDS: Best-targeted-traffic.com Spyware Install \u2022 199.59.243.228", "High Priority Alerts IDS: Win32.AdWare.iBryte.C Install Win32/Scudy.A Checkin \u2022 199.59.243.228", "High Priority Alerts IDS: iebaru Spyware User Agent Win32/Snojan Variant Uploading EXE \u2022 199.59.243.228", "High Priority Alerts IDS: (iebar) Dropper Checkin 2 (often scripts.dlv4.com related) \u2022 199.59.243.228", "High Priority Alerts IDS: Downloader (P2P Zeus dropper UA) Zeus Bot Connectivity Check \u2022 199.59.243.228", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing. \u2022 www.anyxxxtube.net \u2022", "ai-fairness-360.dev-lfprojects5.linuxfoundation.org \u2022-ran-sc.dev-lfprojects5.linuxfoundation.org", "[Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1) / Jacuz /Mimikatz] continues\u2026.", "[iRegarding - Serving IPs: 192.157.56.141 & 192.157.56.140 for http://tagram.com/ & continues", "http://titkok.com/ Final URL: http://survey-smiles.com/ | URL that may infect its visitors with malware. (DigitalMistica)]", "URL that may infect its visitors with malware. Last 4 references (DigitalMistica)]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "#fp539598-VBS/LoveLetter.BT", "display_name": "#fp539598-VBS/LoveLetter.BT", "target": null }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Backdoor.Darpapox/Jaku", "display_name": "Backdoor.Darpapox/Jaku", "target": null }, { "id": "Win.Trojan.Badur-8004052-0", "display_name": "Win.Trojan.Badur-8004052-0", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Win.Malware.Bzub-9969513-0", "display_name": "Win.Malware.Bzub-9969513-0", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "HackTool:Win32/Mimikatz", "display_name": "HackTool:Win32/Mimikatz", "target": "/malware/HackTool:Win32/Mimikatz" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Upatre!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Upatre!atmn", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1130, "FileHash-SHA1": 1094, "FileHash-SHA256": 4332, "URL": 413, "domain": 444, "hostname": 903, "email": 12, "SSLCertFingerprint": 34, "CIDR": 1 }, "indicator_count": 8363, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666ac558d08da6cfb3ba135b", "name": "Thor Lite Scanner - Cigabuntu (Parrot Version) vs. The Book of Shadows", "description": "A little unclear on 'just exactly what all of this is' - Other than Huntress Catching things and Thor & Bitdefender Gravutyzone ****ing the bed\n\nScan ID: S-6vsmMgE47Gk\nScan Id: S-H9GdDtmU2vU\n\n06.13.24: https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "modified": "2024-07-13T09:05:44.647000", "created": "2024-06-13T10:09:28.617000", "tags": [ "entity", "please", "javascript", "valhalla", "php", "filename ioc", "mon jun", "module", "sigtype1", "reasonscount", "tue jun", "exploit code", "file names", "matched1", "score", "shellcode", "form", "mimikatz", "powershell", "cobaltstrike", "null", "trace", "shell", "import", "empire", "hermanos", "cobalt strike", "void", "body", "exploit", "webshell", "antak", "anomaly", "error", "generic", "target", "obfus", "skeletonkey", "virustotal", "dllimport", "false", "flash", "info", "click", "macos", "test", "powersploit", "powercat", "tools", "metasploit", "twitter", "open", "path", "xploit" ], "references": [ "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VALHALLA", "display_name": "VALHALLA", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "CVE": 156, "FileHash-MD5": 828, "FileHash-SHA1": 1126, "FileHash-SHA256": 746, "domain": 130, "email": 4, "hostname": 21 }, "indicator_count": 3085, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "High Priority Alerts IDS: Possible Win32/Hupigon ip.txt with a Non-Mozilla UA \u2022 192.157.56.140", "[Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1) / Jacuz /Mimikatz] continues\u2026.", "High Priority Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "High Priority Alerts IDS: Potentially Unwanted Application AirInstaller CnC Beacon Backdoor.Win32.Hupigon.dpgy Checkin", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing. \u2022 www.anyxxxtube.net \u2022", "Priority Alerts: createtoolhelp32snapshot_module_enumeration packer_unknown_pe_section_name", "High Priority Alerts IDS: Arkei Stealer \u2022 Config Download Request Vidar/Arkei Stealer Client Data Upload \u2022 192.157.56.140", "Priority Alerts: physical_drive_access dynamic_function_loading resumethread_remote_process", "High Priority Alerts IDS: ADWARE/InstallCore.Gen Checkin \u2022 Adware.InstallCore.B Checkin", "[iRegarding - Serving IPs: 192.157.56.141 & 192.157.56.140 for http://tagram.com/ & continues", "Kawaii-Unicorn.exe", "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "High Priority Alerts IDS: Win32.Renos/Artro Trojan Checkin M1 Garveep POST CnC Beacon \u2022 199.59.243.228", "High Priority Alerts: suricata_alert antivm_bochs_keys physical_drive_access", "http://titkok.com/ Final URL: http://survey-smiles.com/ | URL that may infect its visitors with malware. (DigitalMistica)]", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph", "High Priority Alerts IDS: iebaru Spyware User Agent Win32/Snojan Variant Uploading EXE \u2022 199.59.243.228", "https://offers.Tethered to target iPhone - T-mobile.com/tethering/upsell.do", "Priority Alerts: packer_entropy antidebug_ntsetinformationthread injection_rwx", "IDS Detections: Win32/Unruy Rogue Search Host Observed | Yara Detections: EnigmaProtector", "High Priority Alerts IDS: Win32.AdWare.iBryte.C Install Win32/Scudy.A Checkin \u2022 199.59.243.228", "High Priority Alerts IDS: Win32/Spigot Activity Potentially Unwanted Application AirInstaller \u2022 192.157.56.140", "High Priority Alerts IDS: (iebar) Dropper Checkin 2 (often scripts.dlv4.com related) \u2022 199.59.243.228", "URL that may infect its visitors with malware. Last 4 references (DigitalMistica)]", "High Priority Alerts IDS: Downloader (P2P Zeus dropper UA) Zeus Bot Connectivity Check \u2022 199.59.243.228", "Priority Alerts: enumerates_running_processes reads_self network_http", "High Priority Alerts IDS: Backdoor.Darpapox/Jaku \u2022 CNAME CnC Beacon (WinVer 6.1)", "High Priority Alerts IDS: Suspicious Zipped Filename in Outbound POST Request (Passwords.log) M2 \u2022 192.157.56.140", "ai-fairness-360.dev-lfprojects5.linuxfoundation.org \u2022-ran-sc.dev-lfprojects5.linuxfoundation.org", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "High Priority Alerts IDS: \u2022 199.59.243.228", "High Priority Alerts IDS: Best-targeted-traffic.com Spyware Install \u2022 199.59.243.228" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Valhalla", "Hacktool:win32/mimikatz", "Win.dropper.unruy-9994363-0", "Ransom:win32/haperlock", "Win.trojan.badur-8004052-0", "Trojan:win32/dorv.a", "Ransom:win32/haperlock.a", "Backdoor.darpapox/jaku", "#fp539598-vbs/loveletter.bt", "Win.malware.bzub-9969513-0", "Alf:jasyp:trojandownloader:win32/upatre!atmn", "Php", "Win.trojan.barys-10005825-0" ], "industries": [], "unique_indicators": 12698 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mysmartlogon.com", "whois": "http://whois.domaintools.com/mysmartlogon.com", "domain": "mysmartlogon.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "686dc31588057c828d99de65", "name": "Darpapox CNC Beacon \u2022 Tethered to T-Mobile iOS", "description": "In November 2021 T-mobile.com/tethering/upsell.do\ttethered to a heavily targeted crime victim\u2019s phone. It\u2019s seemed to trigger an outage in Early November 2021. (IoC\u2019s left out of graph and Pulse) related to Palantir / Foundry/ Twitter \nI can anssume they are being spoofed, unfortunately, this harmful, powerfully dangerous \u2019tool\u2019 is a real a weapon that can and has lead to great harm or death ; is a product for sale.\n\nVictim was assaulted by PT under quasi government care. She has been injured, stalked, nearly assassinated, confronted, recorded, spied on denied healthcare, legal representation & relentlessly bullied online and otherwise to death.\nNOT EVERYONE SHOULD HAVE THIS TOOL. IT IS A WEAPON!", "modified": "2025-08-08T00:05:09.846000", "created": "2025-07-09T01:17:09.803000", "tags": [ "united", "status", "name servers", "search", "servers", "ip address", "creation date", "telekom ag", "present aug", "present dec", "date", "date checked", "url hostname", "server response", "google safe", "results jan", "next related", "domains show", "domain related", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "ascii text", "pattern match", "size", "null", "refresh", "body", "span", "hybrid", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "update", "whois field", "value address", "city bonn", "country de", "dnssec", "domain name", "name", "expiration date", "domain", "passive dns", "urls", "files ip", "address domain", "ip whois", "registrar", "entries", "next associated", "urls show", "results apr", "showing", "present nov", "results dec", "present jan", "results feb", "present mar", "results may", "results mar", "results aug", "present may", "present jun", "results jun", "t-mobile", "log4", "whois show", "record value", "name domain", "admin name", "org deutsche", "whois", "related", "comments", "status hostname", "query type", "address first", "seen last", "seen asn", "country", "emails", "services", "org principal", "financial", "high st", "ag organization", "server", "flag", "contacted hosts", "process details", "found cache", "control", "pragma", "present oct", "present feb", "moved", "name legal", "referral url", "wa status", "updated date", "whois server", "zipcode", "present apr", "content type", "gmt p3p", "noi nid", "cura adma", "deva psaa", "psda our", "sama bus", "pur com", "hostname add", "pulse pulses", "files", "domain add", "show", "copy", "reads", "total", "read", "write", "delete", "kawaii unicorn", "tethering", "iphone", "ios", "apple", "gmt content", "type", "dynamicloader", "yara rule", "medium", "high", "vmware", "msie", "windows nt", "wow64", "slcc2", "media center", "malware", "unknown", "ta0002 defense", "evasion ta0005", "ta0009", "lowfi", "ipv4 add", "location united", "america flag", "ransom", "trojandropper", "yara detections", "lehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "medium risk", "none related", "defender", "pulses none", "cnc beacon", "winver", "search host", "all ipv4", "hosting", "trojan", "tlsv1", "odigicert inc", "cndigicert sha2", "secure server", "stwashington", "lseattle", "as16509", "stcalifornia", "next", "execution", "dock", "persistence", "encrypt", "project", "process32nextw", "service", "t1003", "hacktool", "pe32", "win64", "cowboy server", "jakuz", "mimikatz", "darpapox", "default", "codeoverlap", "date hash", "deletes_executed_files", "ue codeoverlap", "pe section", "ipv4", "arkei stealer", "hash apr", "ma ma", "win32spigot may", "ub euj", "e ep", "ub uj", "program", "python", "write c", "intel", "ms windows", "updater", "launcher", "powershell", "langchinese", "ip check", "http host", "icmp traffic", "win32", "download", "handle", "address range", "cidr", "network name", "allocation type", "entity bns34", "ip addresses", "tsara brashears" ], "references": [ "https://offers.Tethered to target iPhone - T-mobile.com/tethering/upsell.do", "Kawaii-Unicorn.exe", "IDS Detections: Win32/Unruy Rogue Search Host Observed | Yara Detections: EnigmaProtector", "High Priority Alerts: infostealer_cookies persistence_autorun procmem_yara static_pe_anomaly", "High Priority Alerts: suricata_alert antivm_bochs_keys physical_drive_access", "Priority Alerts: physical_drive_access dynamic_function_loading resumethread_remote_process", "Priority Alerts: enumerates_running_processes reads_self network_http", "Priority Alerts: packer_entropy antidebug_ntsetinformationthread injection_rwx", "Priority Alerts: createtoolhelp32snapshot_module_enumeration packer_unknown_pe_section_name", "High Priority Alerts IDS: Backdoor.Darpapox/Jaku \u2022 CNAME CnC Beacon (WinVer 6.1)", "High Priority Alerts IDS: ADWARE/InstallCore.Gen Checkin \u2022 Adware.InstallCore.B Checkin", "High Priority Alerts IDS: Arkei Stealer \u2022 Config Download Request Vidar/Arkei Stealer Client Data Upload \u2022 192.157.56.140", "High Priority Alerts IDS: Potentially Unwanted Application AirInstaller CnC Beacon Backdoor.Win32.Hupigon.dpgy Checkin", "High Priority Alerts IDS: Possible Win32/Hupigon ip.txt with a Non-Mozilla UA \u2022 192.157.56.140", "High Priority Alerts IDS: Suspicious Zipped Filename in Outbound POST Request (Passwords.log) M2 \u2022 192.157.56.140", "High Priority Alerts IDS: Win32/Spigot Activity Potentially Unwanted Application AirInstaller \u2022 192.157.56.140", "High Priority Alerts IDS: \u2022 199.59.243.228", "High Priority Alerts IDS: Win32.Renos/Artro Trojan Checkin M1 Garveep POST CnC Beacon \u2022 199.59.243.228", "High Priority Alerts IDS: Best-targeted-traffic.com Spyware Install \u2022 199.59.243.228", "High Priority Alerts IDS: Win32.AdWare.iBryte.C Install Win32/Scudy.A Checkin \u2022 199.59.243.228", "High Priority Alerts IDS: iebaru Spyware User Agent Win32/Snojan Variant Uploading EXE \u2022 199.59.243.228", "High Priority Alerts IDS: (iebar) Dropper Checkin 2 (often scripts.dlv4.com related) \u2022 199.59.243.228", "High Priority Alerts IDS: Downloader (P2P Zeus dropper UA) Zeus Bot Connectivity Check \u2022 199.59.243.228", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing. \u2022 www.anyxxxtube.net \u2022", "ai-fairness-360.dev-lfprojects5.linuxfoundation.org \u2022-ran-sc.dev-lfprojects5.linuxfoundation.org", "[Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1) / Jacuz /Mimikatz] continues\u2026.", "[iRegarding - Serving IPs: 192.157.56.141 & 192.157.56.140 for http://tagram.com/ & continues", "http://titkok.com/ Final URL: http://survey-smiles.com/ | URL that may infect its visitors with malware. (DigitalMistica)]", "URL that may infect its visitors with malware. Last 4 references (DigitalMistica)]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "#fp539598-VBS/LoveLetter.BT", "display_name": "#fp539598-VBS/LoveLetter.BT", "target": null }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Backdoor.Darpapox/Jaku", "display_name": "Backdoor.Darpapox/Jaku", "target": null }, { "id": "Win.Trojan.Badur-8004052-0", "display_name": "Win.Trojan.Badur-8004052-0", "target": null }, { "id": "Win.Dropper.Unruy-9994363-0", "display_name": "Win.Dropper.Unruy-9994363-0", "target": null }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Win.Malware.Bzub-9969513-0", "display_name": "Win.Malware.Bzub-9969513-0", "target": null }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "HackTool:Win32/Mimikatz", "display_name": "HackTool:Win32/Mimikatz", "target": "/malware/HackTool:Win32/Mimikatz" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Upatre!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Upatre!atmn", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1130, "FileHash-SHA1": 1094, "FileHash-SHA256": 4332, "URL": 413, "domain": 444, "hostname": 903, "email": 12, "SSLCertFingerprint": 34, "CIDR": 1 }, "indicator_count": 8363, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666ac558d08da6cfb3ba135b", "name": "Thor Lite Scanner - Cigabuntu (Parrot Version) vs. The Book of Shadows", "description": "A little unclear on 'just exactly what all of this is' - Other than Huntress Catching things and Thor & Bitdefender Gravutyzone ****ing the bed\n\nScan ID: S-6vsmMgE47Gk\nScan Id: S-H9GdDtmU2vU\n\n06.13.24: https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "modified": "2024-07-13T09:05:44.647000", "created": "2024-06-13T10:09:28.617000", "tags": [ "entity", "please", "javascript", "valhalla", "php", "filename ioc", "mon jun", "module", "sigtype1", "reasonscount", "tue jun", "exploit code", "file names", "matched1", "score", "shellcode", "form", "mimikatz", "powershell", "cobaltstrike", "null", "trace", "shell", "import", "empire", "hermanos", "cobalt strike", "void", "body", "exploit", "webshell", "antak", "anomaly", "error", "generic", "target", "obfus", "skeletonkey", "virustotal", "dllimport", "false", "flash", "info", "click", "macos", "test", "powersploit", "powercat", "tools", "metasploit", "twitter", "open", "path", "xploit" ], "references": [ "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VALHALLA", "display_name": "VALHALLA", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "CVE": 156, "FileHash-MD5": 828, "FileHash-SHA1": 1126, "FileHash-SHA256": 746, "domain": 130, "email": 4, "hostname": 21 }, "indicator_count": 3085, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mysmartlogon.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mysmartlogon.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639041.5001938 }