{ "type": "URL", "indicator": "https://ns2.chura.pl", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ns2.chura.pl", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2923817045, "indicator": "https://ns2.chura.pl", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 34, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a1c74cf5f1af5be6464e", "name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t", "description": "", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:41:27.252000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": "65c4a099f6a2c8fc2bb85d4b", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a099f6a2c8fc2bb85d4b", "name": "Cyber espionage & ransomware attacks Denver Recording Studio", "description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:36:25.114000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715b49b95c13605856d6d0", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:42:33.281000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715ad29ac565164664960b", "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715ad29ac565164664960b", "name": "InstallMate", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:40:34.888000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6572622bba87d8d105a7259f", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-08T00:24:11.801000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715b49b95c13605856d6d0", "export_count": 234, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558d52f7078c8c2558602c6", "name": "Bot Network locates, remotely connects, archives Targets property", "description": "FormBook, rat, trojan, C2, scripter, rat, Tulach Malware Family, method, command and control, scanning host, attack, cyber threat, cyber stalking.\nTargets: Tsara Brashears by remotely locationing, connection and control of any property Brashears and associated aquires. \nBot Networks and Apple Crackers:\nt.prototype.hasownproperty.call\nhttp://45.159.189.105/bot/regex\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel\t\nhttp://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5\n114.114.114.114\nhttp://45.159.189.105/bot/online?key=56d9a38b25a0c16ea67e7d74c06851fc8eac5b4ad06b30712a8253baf78647a8&guid=WALKER-PC\\WALKER\n\n\nhttp://clipper.guru/bot/online?guid=WALKER-PC\nNo Expiration\t0\t\n\n\nhttp://103.246.145.111/del.php?hwid=WALKER-PC-WALKER\n\nhttp://103.246.145.111/delonl.php?hwid=WALKER-PC-WALKER\nhttp://103.246.145.111/gate.php?hwid=WALKER-PC-WALKER&os=Windows%207%20Enterprise&cpu=Intel\nURL\nhttps://twitter.com/PORNO_SEXYBABES\n\ntwitter.com.", "modified": "2023-12-18T14:02:38.834000", "created": "2023-11-18T15:15:59.916000", "tags": [ "passive dns", "urls", "domain", "scan endpoints", "all octoseek", "pulse pulses", "files", "files ip", "address domain", "ip related", "win32 exe", "type name", "execution", "contacted", "referrer", "whois whois", "tsara brashears", "ssl certificate", "malware", "password bypass", "apple phone", "unlocker", "dark power", "cobalt strike", "core", "download", "relic", "monitoring", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "hostname": 214, "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 968, "URL": 470 }, "indicator_count": 1888, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655650c9b2be6cc930c92cf3", "name": "https://myaccount.uscis.gov/", "description": "HOW!?!? My device was remotely logged into this account somehow.\nThis is egregious. Silence Threats. I have no connection to this but was contacted by a while ago. I don't know how or why a part of the government would attack a person with a TBI and C1 - S1 Spinal cord injury allegedly caused by Colorado physical therapist and protect him. Why is victim, tracked and unsafe, receiving death threats, monitored, denied medical care, stalked EVERYWHERE. \nEven felons aren't monitored for life. STOP.\nWill this get us killed. Do the right thing.\nGod bless America, purge the government.\nThe truth should set you fee not get you harmed.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:26:33", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655652f6ddcbf952a599cded", "name": "https://myaccount.uscis.gov/", "description": "After Mark Montano Md reported alleged acts by Jeffrey Scott Reimer after receiving 'multiple' reports of him aggressively pursuing Brashears, she was contacted, told she violated the Patriot Act by Big O Tires?!! Received letters from the above and harassed for years. Colorado Workers compensation is so corrupt this may be my last post. She was immediately framed , blamed, porn smeared and stalked. Denied medical care , when received died on surgery table, revised and disabled. Even the mafia would tackle only the associates bringing undue negative attention to their own organization.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:35:50.285000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65565477da453c46f05a6ac4", "name": "BTW VirusTotal - \" interesting files written to disk during execution'", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:42:15.123000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655657ca2e402d4f98283de9", "name": "https://myaccount.uscis.gov/ ", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:56:26.312000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655686e2c072557f03e9cba2", "name": "https://myaccount.uscis.gov/ [pulse created by Octoseek]", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T21:17:22.087000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c52bf98f256b6a01da6", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-18T00:58:58.944000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aac25a8a2caaddf0d3b88", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-12-02T04:01:41.427000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655652f6ddcbf952a599cded", "export_count": 93, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558126013aef7ce80968842", "name": "PuffStealer", "description": "", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-18T01:24:48.887000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "654c5970817e6bf8b0e5b5ff", "export_count": 334, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654d29ff31857aafba0358e1", "name": "Lucky Mouse APT27 | Feodo Tracker | Malicious Tor Server | Apple iOS", "description": "", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-09T18:50:39.675000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "654c597a4a45c8d84f0b15c1", "export_count": 341, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654c606d74f82e547c77ad89", "name": "Ransom.Win64.PORNOASSET.SM1 | DeepScan:Generic.Ransom.GandCrab5", "description": "Ransom.Win64.PORNOASSET.SM1 DeepScan:Generic.Ransom.GandCrab5\nBlackNET RAT $WebWatson\nAuto generated results from a variety of tools.", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-09T04:30:37.089000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 338, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654c597a4a45c8d84f0b15c1", "name": "Lucky Mouse APT27 | Feodo Tracker | Malicious Tor Server | Apple iOS", "description": "Darkside 2020 Ecosystem .BEware\nMalicious Tor server. Link found in pulse created prior. \nMalvertizing target: Tsara Brashears\nRevenge Porn.\nThere may me others. Malicious Apple activities, locating, CVE exploits, unlocking, hijacker, service transfer, spyware, malicious full auth, tracking, endless. Seems to originate from a law firm that goes to far to defend clients and silence alleged victims. \nSome State allow the same privileges and tools the federal government to insurance, workers compensation, investigators and insurance company law firms for investigations. \nFear tactics they seem willing to back up. I was approached and asked about my cyber knowledge by strangers. I am followed now for using a tool properly.\nALL terms auto populated from various tools from various tools used including, State, Brian Sabey, cyber stalking. Perhaps he's made contact with target. Danger!", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-09T04:00:58.166000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 338, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654c5970817e6bf8b0e5b5ff", "name": "Lucky Mouse APT27 | Feodo Tracker | Malicious Tor Server | Apple iOS", "description": "Darkside 2020 Ecosystem .BEware\nMalicious Tor server. Link found in pulse created prior. \nMalvertizing target: Tsara Brashears\nRevenge Porn.\nThere may me others. Malicious Apple activities, locating, CVE exploits, unlocking, hijacker, service transfer, spyware, malicious full auth, tracking, endless. Seems to originate from a law firm that goes to far to defend clients and silence alleged victims. \nSome State allow the same privileges and tools the federal government to insurance, workers compensation, investigators and insurance company law firms for investigations. \nFear tactics they seem willing to back up. I was approached and asked about my cyber knowledge by strangers. I am followed now for using a tool properly.\nALL terms auto populated from various tools from various tools used including, State, Brian Sabey, cyber stalking. Perhaps he's made contact with target. Danger!", "modified": "2023-12-09T03:01:57.989000", "created": "2023-11-09T04:00:48.087000", "tags": [ "ssl certificate", "historical ssl", "communicating", "contacted", "resolutions", "whois record", "whois whois", "whois parent", "whois siblings", "skynet", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "back", "download", "phishing", "union", "bank", "malicious site", "blacklist http", "exit", "traffic", "node tcp", "tor known", "tor relayrouter", "et tor", "known tor", "relayrouter", "anonymizer", "spammer", "malware", "dropped", "unlocker", "http", "critical risk", "redline stealer", "core", "hacktool", "execution", "type win32", "exe size", "first seen", "file name", "avast win32", "win32", "avg win32", "fortinet", "vitro", "mb first", "rmndrp", "clean mx", "undetected dns8", "undetected vx", "sophos", "vault", "zdb zeus", "cmc threat", "snort ip", "feodo tracker", "cybereason", "send bug", "pe yandex", "no data", "tag count", "count blacklist", "tag tag", "algorithm", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "first", "seen", "valid", "no na", "no no", "ip security", "cndst root", "ca x3", "ca id", "research group", "cnisrg root", "no expired", "mozilla", "android", "malicious red team", "tsara brashears", "cyber stalking", "malvertizing", "invasion of privacy", "threat", "adult content", "apple", "iphone unlocker", "android", "exploited spyware", "malware host", "brute force", "revenge-rat", "banker", "evasive", "domain", "redline", "stealer", "phishing", "ramnit", "unreliable subdomains", "dridex", "gating", "msil", "rat", "loki", "network", "hacking", "sinkhole", "azorult", "c2", "historicalandnew", "targeted attack", "puffstealer", "rultazo", "lokibot", "loki pws", "burkina", "banker,dde,dridex,exploit", "banker,dridex,evasive", "trickbot", "ransomware,torrentlocker", "exploit_source", "blacknet", "FileRepMalware", "linux agent", "blacknet", "ios", "phishing paypal", "tagging", "defacement", "hit", "bounty", "phishing site", "malware site", "malware download", "endangerment", "Malicious domain - SANS Internet Storm Center", "evasive,msil,rat,revenge-rat", "prism_setting", "prism_object", "static engine", "social engineering", "jansky", "worm", "network rat", "networm", "Loki Password Stealer (PWS)", "South Carolina Federal Credit Union phishing", "darkweb", "yandex", "redirectors", "blacknet threats", "phishing,ransomware,sinkhole", "wanacrypt0r,wannacry,wcry", "tor c++", "tor c++ client", "python user", "js user", "hacker", "hijacker", "heur", "maltiverse", "alexa top", "exploit", "riskware", "unsafe", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "crack", "webtoolbar", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "__convergedlogin_pcustomizationloader_44b450e8d543eb53930d", "malicious url", "financial", "blacknet rat", "azorult", "stealer", "deep scan", "blacklist https", "referrer", "collections kp", "incident ip", "sneaky server", "replacement", "unauthorized", "emotet", "noname057", "generic malware", "engineering", "cyber threat", "facebook", "paypal", "dropbox", "united", "america", "banking", "wells fargo", "steam", "twitter", "sliver", "daum", "swift", "runescape", "betabot", "district", "iframe", "alexa", "downldr", "agent", "presenoker", "bladabindi", "live", "conduit", "pony", "covid19", "malicious", "cobalt strike", "suppobox", "ramnit", "meterpreter", "virut", "njrat", "pykspa", "asyncrat", "downloader", "fakealert", "binder", "virustotal", "formbook", "necurs", "trojan", "msil", "hiloti", "vawtrak", "simda", "kraken", "solimba", "icedid", "redirector", "suspic", "amadey", "raccoon", "nanocore rat", "revenge rat", "genkryptik", "fuery", "wacatac", "service", "cloudeye", "tinba", "domaiq", "ave maria", "zeus", "ransomware", "zbot", "generic", "trojanspy", "states", "inmortal", "locky", "strike", "china cobalt", "keybase", "cutwail", "citadel", "radamant", "kovter", "bradesco", "nymaim", "amonetize", "bondat", "ghost rat", "vjw0rm", "bandoo", "matsnu", "dnspionage", "darkgate", "vidar", "keylogger", "remcos", "agenttesla", "detplock", "win64", "smokeloader", "agent tesla", "kgs0", "kls0", "urls", "type name", "dns replication", "date", "domain", "win32 exe", "files", "detections type", "name", "drpsuinstaller", "vdfsurfs", "opera", "icwrmind", "notepad", "installer", "miner", "unknown", "networm", "houdini", "quasar rat", "gamehack", "dbatloader", "qakbot", "ursnif", "CVE-2005-1790", "CVE-2009-3672", "CVE-2010-3962", "CVE-2012-3993", "CVE-2014-6332", "CVE-2017-11882", "CVE-2020-0601", "CVE-2020-0674", "hallrender.com", "brian sabey", "insurance", "botnetwork", "botmaster", "command_and_control", "CVE-2021-27065", "CVE-2021-40444", "CVE-2023-4966", "CVE-2017-0199", "CVE-2018-4893", "CVE-2010-3333", "CVE-2015-1641", "CVE-2017-0147", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-8373", "CVE-2017-8759", "CVE-2018-8453", "CVE-2014-3153", "CVE-2015-1650", "CVE-2017-0143", "CVE-2017-8464", "Icefog", "Delf.NBX", "$WebWatson", "Gen:Heur.Ransom.HiddenTears", "mobilekey.pw", "bitbucket.org", "Anomalous.100%", "malware distribution site", "gootkit", "edsaid", "rightsaided", "betabot", "cobaltstrike4.tk", "mas.to", "BehavesLike.YahLover", "srdvd16010404", "languageenu", "buildno", "channelisales", "vendorname2581", "osregion", "device", "systemlocale", "majorver16", "quasar", "find", "lockbit", "chaos", "ransomexx", "grandoreiro", "evilnum", "banker" ], "references": [ "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "20.99.186.246 exploit source", "fp2e7a.wpc.2be4.phicdn.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "init.ess.apple.com (malicious code script)", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "IPv4 45.12.253.72. command_and_control", "Hostname: ddos.dnsnb8.net command_and_control", "IPv4 95.213.186.51 command_and_control", "Hostname: www.supernetforme.com command_and_control", "IPv4 103.224.182.246 command_and_control", "IPv4 72.251.233.245 command_and_control", "IPv4 63.251.106.25 command_and_control", "IPv4 45.15.156.208 command_and_control", "IPv4 104.247.81.51 command_and_control", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://downloaddevtools.ir/ (phishing)", "happylifehappywife.com", "apples.encryptedwork.com (Interesting in the blacknet)", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://init-p01st.push.apple.com/bag (malicious web creator)", "opencve.djgummikuh.de (CVE dispensary)", "Maltiverse Research Team", "URLscan.io", "Deep Research", "Hybrid Analysis", "URLhaus Abuse.ch", "Cyber Threat Coalition", "ThreatFox Abuse.ch" ], "public": 1, "adversary": "Lucky Mouse APT27 | NoName057(16) | Unnamed", "targeted_countries": [ "United States of America", "France", "Spain" ], "malware_families": [ { "id": "Feodo", "display_name": "Feodo", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Ramnit.N", "display_name": "Ramnit.N", "target": null }, { "id": "Loki Bot", "display_name": "Loki Bot", "target": null }, { "id": "Loki Password Stealer (PWS)", "display_name": "Loki Password Stealer (PWS)", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Zbd Zeus", "display_name": "Zbd Zeus", "target": null }, { "id": "Trojan:MSIL/Burkina", "display_name": "Trojan:MSIL/Burkina", "target": "/malware/Trojan:MSIL/Burkina" }, { "id": "Generic.TrickBot.1", "display_name": "Generic.TrickBot.1", "target": null }, { "id": "Exploit.CVE", "display_name": "Exploit.CVE", "target": null }, { "id": "Injector.IS.gen", "display_name": "Injector.IS.gen", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Trojan.Androm.Gen", "display_name": "Trojan.Androm.Gen", "target": null }, { "id": "HEUR:Trojan.Linux.Agent", "display_name": "HEUR:Trojan.Linux.Agent", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "VBA.Downloader", "display_name": "VBA.Downloader", "target": null }, { "id": "Trojan.Notifier", "display_name": "Trojan.Notifier", "target": null }, { "id": "HEUR:Trojan.MSOffice.Alien", "display_name": "HEUR:Trojan.MSOffice.Alien", "target": null }, { "id": "Unsafe.AI_Score_100%", "display_name": "Unsafe.AI_Score_100%", "target": null }, { "id": "Gen:Variant.Johnnie", "display_name": "Gen:Variant.Johnnie", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan:Python/Downldr", "display_name": "Trojan:Python/Downldr", "target": "/malware/Trojan:Python/Downldr" }, { "id": "Trojan:Linux/Downldr", "display_name": "Trojan:Linux/Downldr", "target": "/malware/Trojan:Linux/Downldr" }, { "id": "Trojan:VBA/Downldr", "display_name": "Trojan:VBA/Downldr", "target": "/malware/Trojan:VBA/Downldr" }, { "id": "TrojanDownloader:Linux/Downldr", "display_name": "TrojanDownloader:Linux/Downldr", "target": "/malware/TrojanDownloader:Linux/Downldr" }, { "id": "Kryptik.FPH.gen", "display_name": "Kryptik.FPH.gen", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.JAT", "display_name": "Phish.JAT", "target": null }, { "id": "Phishing.HTML", "display_name": "Phishing.HTML", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Xegumumune.8596c22f", "display_name": "Xegumumune.8596c22f", "target": null }, { "id": "Generic.Malware.SMYB", "display_name": "Generic.Malware.SMYB", "target": null }, { "id": "malicious.moderate.ml", "display_name": "malicious.moderate.ml", "target": null }, { "id": "Agent.NBAE", "display_name": "Agent.NBAE", "target": null }, { "id": "AGEN.1045227", "display_name": "AGEN.1045227", "target": null }, { "id": "Riskware.Agent", "display_name": "Riskware.Agent", "target": null }, { "id": "Gen:Variant.Cerbu", "display_name": "Gen:Variant.Cerbu", "target": null }, { "id": "IL:Trojan.MSILZilla", "display_name": "IL:Trojan.MSILZilla", "target": null }, { "id": "Dropped:Generic.Ransom.DMR", "display_name": "Dropped:Generic.Ransom.DMR", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Trojan.Heur", "display_name": "Trojan.Heur", "target": null }, { "id": "Trojan.Malware.300983", "display_name": "Trojan.Malware.300983", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "Trojan.DelShad", "display_name": "Trojan.DelShad", "target": null }, { "id": "Exploit CVE-2017-11882", "display_name": "Exploit CVE-2017-11882", "target": null }, { "id": "GameHack.NL", "display_name": "GameHack.NL", "target": null }, { "id": "JS:Trojan.HideLink", "display_name": "JS:Trojan.HideLink", "target": null }, { "id": "Script.Agent", "display_name": "Script.Agent", "target": null }, { "id": "Macro.Agent", "display_name": "Macro.Agent", "target": null }, { "id": "Macro.Downloader.AMIP", "display_name": "Macro.Downloader.AMIP", "target": null }, { "id": "Trojan.VBA", "display_name": "Trojan.VBA", "target": null }, { "id": "HEUR.VBA.Trojan", "display_name": "HEUR.VBA.Trojan", "target": null }, { "id": "VB.EmoooDldr.10", "display_name": "VB.EmoooDldr.10", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Packed-GV", "display_name": "Packed-GV", "target": null }, { "id": "Adware.InstallMonetizer", "display_name": "Adware.InstallMonetizer", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Zpevdo.B", "display_name": "Zpevdo.B", "target": null }, { "id": "Presenoker", "display_name": "Presenoker", "target": null }, { "id": "SGeneric", "display_name": "SGeneric", "target": null }, { "id": "GameHack.DOM", "display_name": "GameHack.DOM", "target": null }, { "id": "BehavesLike.Ransom", "display_name": "BehavesLike.Ransom", "target": null }, { "id": "CIL.StupidCryptor", "display_name": "CIL.StupidCryptor", "target": null }, { "id": "Gen:Heur.Ransom.MSIL", "display_name": "Gen:Heur.Ransom.MSIL", "target": null }, { "id": "Black.Gen2", "display_name": "Black.Gen2", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Trojan.HTML.PHISH", "display_name": "Trojan.HTML.PHISH", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Program.Unwanted", "display_name": "Program.Unwanted", "target": null }, { "id": "HEUR/QVM42.3.72EB.Malware", "display_name": "HEUR/QVM42.3.72EB.Malware", "target": null }, { "id": "suspicious.low.ml", "display_name": "suspicious.low.ml", "target": null }, { "id": "JS:Trojan.Cryxos", "display_name": "JS:Trojan.Cryxos", "target": null }, { "id": "Suspicious_GEN.F47V0520", "display_name": "Suspicious_GEN.F47V0520", "target": null }, { "id": "Dropper.Trojan.Generic", "display_name": "Dropper.Trojan.Generic", "target": null }, { "id": "Trojan.TrickBot", "display_name": "Trojan.TrickBot", "target": null }, { "id": "Malware.Tk.Generic", "display_name": "Malware.Tk.Generic", "target": null }, { "id": "TrojanSpy.Java", "display_name": "TrojanSpy.Java", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "BehavesLike.Exploit", "display_name": "BehavesLike.Exploit", "target": null }, { "id": "Gen:NN.ZemsilF.34128", "display_name": "Gen:NN.ZemsilF.34128", "target": null }, { "id": "Wacapew.C", "display_name": "Wacapew.C", "target": null }, { "id": "Trojan.Malware.121218", "display_name": "Trojan.Malware.121218", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "W32.Trojan", "display_name": "W32.Trojan", "target": null }, { "id": "BScope.Riskware", "display_name": "BScope.Riskware", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "Virus.Ramnit", "display_name": "Virus.Ramnit", "target": null }, { "id": "Virus.Virut", "display_name": "Virus.Virut", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "AGEN.1141126", "display_name": "AGEN.1141126", "target": null }, { "id": "W32.AIDetect", "display_name": "W32.AIDetect", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "Suspicious.Save", "display_name": "Suspicious.Save", "target": null }, { "id": "Adware.Downware", "display_name": "Adware.Downware", "target": null }, { "id": "Ransom.Win64.Wacatac.oa", "display_name": "Ransom.Win64.Wacatac.oa", "target": null }, { "id": "OpenSubtitles.A", "display_name": "OpenSubtitles.A", "target": null }, { "id": "VB.EmoDldr.4", "display_name": "VB.EmoDldr.4", "target": null }, { "id": "Gen:Variant.Midie", "display_name": "Gen:Variant.Midie", "target": null }, { "id": "HEUR/QVM41.2.DA9B.Malware", "display_name": "HEUR/QVM41.2.DA9B.Malware", "target": null }, { "id": "Gen:Variant.Sirefef", "display_name": "Gen:Variant.Sirefef", "target": null }, { "id": "Macro.Trojan.Dropperd", "display_name": "Macro.Trojan.Dropperd", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "Redcap.rlhse", "display_name": "Redcap.rlhse", "target": null }, { "id": "Trojan.Trickster", "display_name": "Trojan.Trickster", "target": null }, { "id": "HTML_REDIR.SMR", "display_name": "HTML_REDIR.SMR", "target": null }, { "id": "TROJ_FRS.VSNTFK19", "display_name": "TROJ_FRS.VSNTFK19", "target": null }, { "id": "Hoax.JS.Phish", "display_name": "Hoax.JS.Phish", "target": null }, { "id": "JS:Iframe", "display_name": "JS:Iframe", "target": null }, { "id": "Application.SQLCrack", "display_name": "Application.SQLCrack", "target": null }, { "id": "susp.lnk", "display_name": "susp.lnk", "target": null }, { "id": "QVM201.0.B70B.Malware", "display_name": "QVM201.0.B70B.Malware", "target": null }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null }, { "id": "WebMonitor RAT", "display_name": "WebMonitor RAT", "target": null }, { "id": "Tor - S0183", "display_name": "Tor - S0183", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "DeepScan:Generic.Ransom.GandCrab5", "display_name": "DeepScan:Generic.Ransom.GandCrab5", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "States", "display_name": "States", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Delf.NBX", "display_name": "Delf.NBX", "target": null }, { "id": "Gen:NN.ZexaF.32515", "display_name": "Gen:NN.ZexaF.32515", "target": null }, { "id": "FileRepMalware", "display_name": "FileRepMalware", "target": null }, { "id": "Gen:Variant.MSILPerseus", "display_name": "Gen:Variant.MSILPerseus", "target": null }, { "id": "Icefog", "display_name": "Icefog", "target": null }, { "id": "$WebWatson", "display_name": "$WebWatson", "target": null }, { "id": "Agent.AIK.gen", "display_name": "Agent.AIK.gen", "target": null }, { "id": "Agent.AIK.genCIL.StupidCryptor", "display_name": "Agent.AIK.genCIL.StupidCryptor", "target": null }, { "id": "Agent.YPEZ", "display_name": "Agent.YPEZ", "target": null }, { "id": "Application.InnovativSol", "display_name": "Application.InnovativSol", "target": null }, { "id": "Agent.ASO", "display_name": "Agent.ASO", "target": null }, { "id": "S-b748adc5", "display_name": "S-b748adc5", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "Kryptik.GUCB", "display_name": "Kryptik.GUCB", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Autoit.bimwt", "display_name": "Autoit.bimwt", "target": null }, { "id": "HEUR:Trojan.OLE2.Alien", "display_name": "HEUR:Trojan.OLE2.Alien", "target": null }, { "id": "AGEN.1038489", "display_name": "AGEN.1038489", "target": null }, { "id": "Gen:Variant.Ser.Strictor", "display_name": "Gen:Variant.Ser.Strictor", "target": null }, { "id": "Packed.Themida.Gen", "display_name": "Packed.Themida.Gen", "target": null }, { "id": "AGEN.1043164", "display_name": "AGEN.1043164", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.PornoAsset", "display_name": "Trojan.PornoAsset", "target": null }, { "id": "Ransom.Win64.PORNOASSET.SM1", "display_name": "Ransom.Win64.PORNOASSET.SM1", "target": null }, { "id": "Gen:Variant.Ulise", "display_name": "Gen:Variant.Ulise", "target": null }, { "id": "Trojan.Win64", "display_name": "Trojan.Win64", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "Heur.BZC.YAX.Pantera.10", "display_name": "Heur.BZC.YAX.Pantera.10", "target": null }, { "id": "malicious.high.ml", "display_name": "malicious.high.ml", "target": null }, { "id": "CVE-2015-1650", "display_name": "CVE-2015-1650", "target": null }, { "id": "Worm.Win64.AutoRun", "display_name": "Worm.Win64.AutoRun", "target": null }, { "id": "AIT.Heur.Cottonmouth.8.78F19BD7", "display_name": "AIT.Heur.Cottonmouth.8.78F19BD7", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "Pua.Gen", "display_name": "Pua.Gen", "target": null }, { "id": "Trojan.Downloader.Generic", "display_name": "Trojan.Downloader.Generic", "target": null }, { "id": "Suspected of Trojan.Downloader.gen", "display_name": "Suspected of Trojan.Downloader.gen", "target": null }, { "id": "HEUR:RemoteAdmin.Generic", "display_name": "HEUR:RemoteAdmin.Generic", "target": null }, { "id": "Gen:Heur.Ransom.HiddenTears", "display_name": "Gen:Heur.Ransom.HiddenTears", "target": null }, { "id": "Nemucod.A", "display_name": "Nemucod.A", "target": null }, { "id": "Backdoor.Hupigon", "display_name": "Backdoor.Hupigon", "target": null }, { "id": "Trojan.Starter JS.Iframe", "display_name": "Trojan.Starter JS.Iframe", "target": null }, { "id": "fake ,promethiumm ,strongpity", "display_name": "fake ,promethiumm ,strongpity", "target": null }, { "id": "PUA.Reg1staid", "display_name": "PUA.Reg1staid", "target": null }, { "id": "Malware.Heur_Generic.A", "display_name": "Malware.Heur_Generic.A", "target": null }, { "id": "Bladabindi.Q", "display_name": "Bladabindi.Q", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "malicious.6e0700", "display_name": "malicious.6e0700", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "RedCap.vneda", "display_name": "RedCap.vneda", "target": null }, { "id": "Trojan.Indiloadz", "display_name": "Trojan.Indiloadz", "target": null }, { "id": "Trojan.Ekstak", "display_name": "Trojan.Ekstak", "target": null }, { "id": "staticrr.paleokits.net", "display_name": "staticrr.paleokits.net", "target": null }, { "id": "MSIL.Downloader", "display_name": "MSIL.Downloader", "target": null }, { "id": "Trojan.Autoruns.GenericKDS", "display_name": "Trojan.Autoruns.GenericKDS", "target": null }, { "id": "MSIL.Trojan.BSE", "display_name": "MSIL.Trojan.BSE", "target": null }, { "id": "Adload.AD81", "display_name": "Adload.AD81", "target": null }, { "id": "Packed.Asprotect", "display_name": "Packed.Asprotect", "target": null }, { "id": "Gen:NN.ZemsilF.34062", "display_name": "Gen:NN.ZemsilF.34062", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Agent.pwc", "display_name": "Agent.pwc", "target": null }, { "id": "RiskTool.Phpw", "display_name": "RiskTool.Phpw", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Trojan.PWS", "display_name": "Trojan.PWS", "target": null }, { "id": "Generic.BitCoinMiner.3", "display_name": "Generic.BitCoinMiner.3", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "Gen:NN", "display_name": "Gen:NN", "target": null }, { "id": "Downloader.CertutilURLCache", "display_name": "Downloader.CertutilURLCache", "target": null }, { "id": "Elf", "display_name": "Elf", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Kryptik.NRD", "display_name": "Kryptik.NRD", "target": null }, { "id": "Riskware", "display_name": "Riskware", "target": null }, { "id": "Kuluoz.B.gen", "display_name": "Kuluoz.B.gen", "target": null }, { "id": "Gen:Variant.RevengeRat", "display_name": "Gen:Variant.RevengeRat", "target": null }, { "id": "Gen:Variant.Mikey", "display_name": "Gen:Variant.Mikey", "target": null }, { "id": "VB.Chronos.7", "display_name": "VB.Chronos.7", "target": null }, { "id": "Kryptik.NOE", "display_name": "Kryptik.NOE", "target": null }, { "id": "HEUR:WebToolbar.Generic", "display_name": "HEUR:WebToolbar.Generic", "target": null }, { "id": "Gen:Variant.Barys", "display_name": "Gen:Variant.Barys", "target": null }, { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Gen:Variant.Graftor", "display_name": "Gen:Variant.Graftor", "target": null }, { "id": "Backdoor.Agent", "display_name": "Backdoor.Agent", "target": null }, { "id": "Unsafe", "display_name": "Unsafe", "target": null }, { "id": "Trojan.PHP.Agent", "display_name": "Trojan.PHP.Agent", "target": null }, { "id": "Trojan.Agent", "display_name": "Trojan.Agent", "target": null }, { "id": "HEUR:Exploit.Generic", "display_name": "HEUR:Exploit.Generic", "target": null }, { "id": "Ransom_WCRY.SMALYM", "display_name": "Ransom_WCRY.SMALYM", "target": null }, { "id": "Ransom_WCRY.SMJ", "display_name": "Ransom_WCRY.SMJ", "target": null }, { "id": "Auslogics", "display_name": "Auslogics", "target": null }, { "id": "Gen:Variant.Jaiko", "display_name": "Gen:Variant.Jaiko", "target": null }, { "id": "Exploit.W32.Agent", "display_name": "Exploit.W32.Agent", "target": null }, { "id": "Trojan.Cud.Gen", "display_name": "Trojan.Cud.Gen", "target": null }, { "id": "Trojan.DOC.Downloader", "display_name": "Trojan.DOC.Downloader", "target": null }, { "id": "Backdoor.MSIL.Agent", "display_name": "Backdoor.MSIL.Agent", "target": null }, { "id": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "display_name": "Gen:Trojan.Heur2.LPTbHW@W64.HfsAutoB", "target": null }, { "id": "Gen:Variant.Kazy", "display_name": "Gen:Variant.Kazy", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Ransom.WannaCrypt", "display_name": "Ransom.WannaCrypt", "target": null }, { "id": "Generic.ServStart.A", "display_name": "Generic.ServStart.A", "target": null }, { "id": "Trojan.Wanna", "display_name": "Trojan.Wanna", "target": null }, { "id": "Generic.MSIL.Bladabindi", "display_name": "Generic.MSIL.Bladabindi", "target": null }, { "id": "TROJ_GEN.R002C0OG518", "display_name": "TROJ_GEN.R002C0OG518", "target": null }, { "id": "Trojan.Chapak", "display_name": "Trojan.Chapak", "target": null }, { "id": "Indiloadz.BB", "display_name": "Indiloadz.BB", "target": null }, { "id": "BehavBehavesLike.PUPXBI", "display_name": "BehavBehavesLike.PUPXBI", "target": null }, { "id": "DeepScan:Generic.SpyAgent.6", "display_name": "DeepScan:Generic.SpyAgent.6", "target": null }, { "id": "Python.KeyLogger", "display_name": "Python.KeyLogger", "target": null }, { "id": "GameHack.CRS", "display_name": "GameHack.CRS", "target": null }, { "id": "Generic.MSIL.PasswordStealer", "display_name": "Generic.MSIL.PasswordStealer", "target": null }, { "id": "PSW.Agent", "display_name": "PSW.Agent", "target": null }, { "id": "malicious.8c45ba", "display_name": "malicious.8c45ba", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "Constructor.MSIL", "display_name": "Constructor.MSIL", "target": null }, { "id": "Linux.Agent", "display_name": "Linux.Agent", "target": null }, { "id": "Virus.3DMax.Script", "display_name": "Virus.3DMax.Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Application.SearchProtect", "display_name": "Application.SearchProtect", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Faceliker.A", "display_name": "Faceliker.A", "target": null }, { "id": "JS:Trojan.JS.Faceliker", "display_name": "JS:Trojan.JS.Faceliker", "target": null }, { "id": "Constructor.MSIL Linux.Agent", "display_name": "Constructor.MSIL Linux.Agent", "target": null }, { "id": "PowerShell.Trojan", "display_name": "PowerShell.Trojan", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "W32.AIDetectVM", "display_name": "W32.AIDetectVM", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "Injector.CLDS", "display_name": "Injector.CLDS", "target": null }, { "id": "VB.Downloader.2", "display_name": "VB.Downloader.2", "target": null }, { "id": "malicious.3e78cc", "display_name": "malicious.3e78cc", "target": null }, { "id": "malicious.d800d6", "display_name": "malicious.d800d6", "target": null }, { "id": "VB.PwShell.2", "display_name": "VB.PwShell.2", "target": null }, { "id": "Backdoor.RBot", "display_name": "Backdoor.RBot", "target": null }, { "id": "malicious.71b1a8", "display_name": "malicious.71b1a8", "target": null }, { "id": "TrojanSpy.KeyLogger", "display_name": "TrojanSpy.KeyLogger", "target": null }, { "id": "Injector.JDO", "display_name": "Injector.JDO", "target": null }, { "id": "Heur.Msword.Gen", "display_name": "Heur.Msword.Gen", "target": null }, { "id": "PSW.Discord", "display_name": "PSW.Discord", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "HEUR:AdWare.StartSurf", "display_name": "HEUR:AdWare.StartSurf", "target": null }, { "id": "Gen:Heur.NoobyProtect", "display_name": "Gen:Heur.NoobyProtect", "target": null }, { "id": "CIL.HeapOverride", "display_name": "CIL.HeapOverride", "target": null }, { "id": "HEUR:Trojan.Tasker", "display_name": "HEUR:Trojan.Tasker", "target": null }, { "id": "XLM.Trojan.Abracadabra.27", "display_name": "XLM.Trojan.Abracadabra.27", "target": null }, { "id": "HEUR:Backdoor.MSIL.NanoBot", "display_name": "HEUR:Backdoor.MSIL.NanoBot", "target": null }, { "id": "Trojan.PSW.Mimikatz", "display_name": "Trojan.PSW.Mimikatz", "target": null }, { "id": "TrojanSpy.Python", "display_name": "TrojanSpy.Python", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "Exploit.MSOffice", "display_name": "Exploit.MSOffice", "target": null }, { "id": "DeepScan:Generic.Ransom.AmnesiaE", "display_name": "DeepScan:Generic.Ransom.AmnesiaE", "target": null }, { "id": "Wacatac.D6", "display_name": "Wacatac.D6", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "Packed.NetSeal", "display_name": "Packed.NetSeal", "target": null }, { "id": "Trojan.MSIL.Injector", "display_name": "Trojan.MSIL.Injector", "target": null }, { "id": "Trojan.PWS.Agent", "display_name": "Trojan.PWS.Agent", "target": null }, { "id": "TScope.Trojan", "display_name": "TScope.Trojan", "target": null }, { "id": "PSW.Stealer", "display_name": "PSW.Stealer", "target": null }, { "id": "Trojan.PackedNET", "display_name": "Trojan.PackedNET", "target": null }, { "id": "Trojan.Java", "display_name": "Trojan.Java", "target": null }, { "id": "MalwareX", "display_name": "MalwareX", "target": null }, { "id": "Trojan.PSW.Python", "display_name": "Trojan.PSW.Python", "target": null }, { "id": "malicious.11abfc", "display_name": "malicious.11abfc", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HEUR:Trojan.MSIL.Tasker", "display_name": "HEUR:Trojan.MSIL.Tasker", "target": null }, { "id": "PossibleThreat.PALLAS", "display_name": "PossibleThreat.PALLAS", "target": null }, { "id": "Backdoor.Poison", "display_name": "Backdoor.Poison", "target": null }, { "id": "Generic.MSIL.LimeRAT", "display_name": "Generic.MSIL.LimeRAT", "target": null }, { "id": "PWS-FCZZ", "display_name": "PWS-FCZZ", "target": null }, { "id": "Trojan.Script", "display_name": "Trojan.Script", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Trojan.PWS.Growtopia", "display_name": "Trojan.PWS.Growtopia", "target": null }, { "id": "Spyware.Bobik", "display_name": "Spyware.Bobik", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Hack.Patcher", "display_name": "Hack.Patcher", "target": null }, { "id": "PWS.p", "display_name": "PWS.p", "target": null }, { "id": "Suppobox", "display_name": "Suppobox", "target": null }, { "id": "index.php", "display_name": "index.php", "target": null }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "HEUR:Trojan.MSOffice.SAgent", "display_name": "HEUR:Trojan.MSOffice.SAgent", "target": null }, { "id": "Script.INF", "display_name": "Script.INF", "target": null }, { "id": "JS:Trojan.JS.Likejack", "display_name": "JS:Trojan.JS.Likejack", "target": null }, { "id": "SNH:Script [Dropper]", "display_name": "SNH:Script [Dropper]", "target": null }, { "id": "Trojan.JS.Agent", "display_name": "Trojan.JS.Agent", "target": null }, { "id": "APT Notes", "display_name": "APT Notes", "target": null }, { "id": "susp.rtf.objupdate", "display_name": "susp.rtf.objupdate", "target": null }, { "id": "RedCap.zoohz", "display_name": "RedCap.zoohz", "target": null }, { "id": "Trojan.Tasker", "display_name": "Trojan.Tasker", "target": null }, { "id": "virus.office.qexvmc", "display_name": "virus.office.qexvmc", "target": null }, { "id": "Trojan.KillProc", "display_name": "Trojan.KillProc", "target": null }, { "id": "Generic.MSIL.GrwtpStealer.1", "display_name": "Generic.MSIL.GrwtpStealer.1", "target": null }, { "id": "Suspicious.Cloud", "display_name": "Suspicious.Cloud", "target": null }, { "id": "PowerShell.DownLoader", "display_name": "PowerShell.DownLoader", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "AGEN.1030939", "display_name": "AGEN.1030939", "target": null }, { "id": "HackTool.Binder", "display_name": "HackTool.Binder", "target": null }, { "id": "Trojan.Inject", "display_name": "Trojan.Inject", "target": null }, { "id": "Dldr.Agent", "display_name": "Dldr.Agent", "target": null }, { "id": "Dropper.MSIL", "display_name": "Dropper.MSIL", "target": null }, { "id": "Trojan.VBKryjetor", "display_name": "Trojan.VBKryjetor", "target": null }, { "id": "PWSX", "display_name": "PWSX", "target": null }, { "id": "VB:Trojan.VBA.Agent", "display_name": "VB:Trojan.VBA.Agent", "target": null }, { "id": "HEUR:Trojan.MSOffice.Stratos", "display_name": "HEUR:Trojan.MSOffice.Stratos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 339, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1184, "FileHash-SHA1": 949, "FileHash-SHA256": 3712, "URL": 2925, "domain": 627, "hostname": 1319, "CVE": 26, "email": 8, "CIDR": 2 }, "indicator_count": 10752, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a567a62bb520508659a4", "name": "HoneyPot", "description": "", "modified": "2023-12-06T16:46:31.096000", "created": "2023-12-06T16:46:31.096000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1753, "hostname": 1193, "URL": 4223, "domain": 591, "FileHash-SHA1": 81, "FileHash-MD5": 81 }, "indicator_count": 7922, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709a0e8c20860fea88779a", "name": "https://surveyheart.com/form/619fb5dc68ff1721fc915f81", "description": "", "modified": "2023-12-06T15:58:06.293000", "created": "2023-12-06T15:58:06.293000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3624, "FileHash-SHA256": 1584, "domain": 871, "hostname": 1290, "FileHash-MD5": 20, "FileHash-SHA1": 20 }, "indicator_count": 7409, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657093b1ae988bb54a2c07ca", "name": "93.140.190.0 2017 Google Error due to many redirects presents 93.140.190.0 as being my ip which is incorrect", "description": "", "modified": "2023-12-06T15:30:57.239000", "created": "2023-12-06T15:30:57.239000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1366, "hostname": 1331, "URL": 3507, "domain": 457, "FileHash-MD5": 1 }, "indicator_count": 6663, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e6989f665ba71d8b273", "name": "bluetoothbotty like nothing you have seen hefore", "description": "", "modified": "2023-12-06T14:00:09.437000", "created": "2023-12-06T14:00:09.437000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "hostname": 815, "domain": 504, "FileHash-SHA256": 4137, "URL": 3590, "FileHash-SHA1": 1 }, "indicator_count": 9048, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6508d5cb5a5d82e58b5aafec", "name": "HoneyPot", "description": "http://cloudbazaar.org\nHome of Malware Bazaar? VoiceBazaar?\nFound in: public domain registry.com\nI won't post all vulnerabilities. Hyper malicious.", "modified": "2023-10-18T20:01:29.292000", "created": "2023-09-18T22:57:15.765000", "tags": [ "ssl certificate", "referrer", "communicating", "threat roundup", "contacted", "historical ssl", "execution", "emotet", "trickbot", "honeypot", "telecommunications", "social engineering", "spear fishing", "Command and cintrol", "phishing", "trojan", "whois", "scanning host", "smishing", "MalwareBazzar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet - S0367", "display_name": "Emotet - S0367", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Malware.", "display_name": "Malware.", "target": null }, { "id": "Trojan.Python", "display_name": "Trojan.Python", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "MalwareBazzar", "display_name": "MalwareBazzar", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1074.002", "name": "Remote Data Staging", "display_name": "T1074.002 - Remote Data Staging" } ], "industries": [ "Technology", "Media Sharing", "Financial Services Data", "Contaent Delivery" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4223, "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 1753, "domain": 591, "hostname": 1193 }, "indicator_count": 7922, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "914 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6451ac22105fabd34fbdf476", "name": "https://surveyheart.com/form/619fb5dc68ff1721fc915f81", "description": "Albert Hill fake profile has 1 follower and 1 follow. the one follow has this url in the p rofile", "modified": "2023-05-03T00:34:42.633000", "created": "2023-05-03T00:34:42.633000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9", "g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3624, "FileHash-SHA256": 1584, "hostname": 1290, "domain": 871, "IPv4": 95, "FileHash-MD5": 20, "FileHash-SHA1": 20 }, "indicator_count": 7504, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1083 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "638fef9c0dc3cca2cff5ac42", "name": "coldzone.tk - btcvip.com - Tweet", "description": "", "modified": "2023-01-05T18:10:20.257000", "created": "2022-12-07T01:42:52.861000", "tags": [ "coldzone.tk", "btcvip.com" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 642, "URL": 470, "hostname": 208, "domain": 65 }, "indicator_count": 1385, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6367ff6703a140789869f2de", "name": "93.140.190.0 2017 Google Error due to many redirects presents 93.140.190.0 as being my ip which is incorrect", "description": "contains a recent campaign targetting Poland domains from Sept 2022\nVN \nmany nasty .exe old but many still used in comms", "modified": "2022-12-06T18:00:30.682000", "created": "2022-11-06T18:39:35.884000", "tags": [ "93.140.190.0", "September PL infection", "VN domain malware from 2013", "https://www.virustotal.com/graph/embed/g04c1c4343dff4977a4d6b22d", "https://www.virustotal.com/gui/collection/70e122270a95cbc415c33f" ], "references": [ "g04c1c4343dff4977a4d6b22d125a1505f3d2798b3f3745bf853914b4d39f2f56.json", "https://www.virustotal.com/graph/embed/g04c1c4343dff4977a4d6b22d125a1505f3d2798b3f3745bf853914b4d39f2f56", "Collection VT - https://www.virustotal.com/gui/collection/70e122270a95cbc415c33faeb7d72d42b7864f4261dabb6e93c52af0fbc4d533" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3507, "hostname": 1331, "domain": 457, "FileHash-SHA256": 1366, "CVE": 1, "FileHash-MD5": 1 }, "indicator_count": 6663, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62ba3913e991ce064ffaf375", "name": "http://irc.zief.pl:81/gi.exe from http://dyna.dnsever.com/download/DDNSClient_1.0.0.5.zip", "description": "", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-27T23:11:15.135000", "tags": [ "win32", "trojan", "entries related", "domains domain", "related via", "http://dyna.dnsever.com/download/DDNSClient_1.0.0.5.zip", "http://irc.zief.pl:81/gi.exe" ], "references": [ "http://dyna.dnsever.com/download/DDNSClient_1.0.0.5.zip", "http://irc.zief.pl:81/gi.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 544, "hostname": 238, "FileHash-SHA256": 290, "domain": 154, "FileHash-MD5": 8, "FileHash-SHA1": 8 }, "indicator_count": 1242, "is_author": false, "is_subscribing": null, "subscriber_count": 391, "modified_text": "1362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6214fc22e807fba6c0c65091", "name": "Trojan.Downloader.Small-1607", "description": "", "modified": "2022-03-24T00:00:00.271000", "created": "2022-02-22T15:07:14.603000", "tags": [ "showing", "entries", "Scribble" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32/Madang.C", "display_name": "Win32/Madang.C", "target": null }, { "id": "Trojan.Downloader.Small-1607", "display_name": "Trojan.Downloader.Small-1607", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 632, "URL": 385, "hostname": 164, "domain": 66 }, "indicator_count": 1247, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "620c3d615adc213e1b734b06", "name": "bluetoothbotty like nothing you have seen hefore", "description": "", "modified": "2022-03-17T00:01:08.614000", "created": "2022-02-15T23:55:13.400000", "tags": [ "ssl certificate", "whois whois", "whois http", "pc https", "rdr https" ], "references": [ "blutoothbotty" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3590, "hostname": 815, "FileHash-SHA256": 4137, "domain": 504, "CVE": 1, "FileHash-SHA1": 1 }, "indicator_count": 9048, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1495 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "Hybrid Analysis", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "https://www.virustotal.com/graph/g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9", "https://www.virustotal.com/graph/embed/g04c1c4343dff4977a4d6b22d125a1505f3d2798b3f3745bf853914b4d39f2f56", "https://hybrid-analysis.com/sample/6765f47ea77c8274c8e4973ed95aedf59e75998c62f6029e23c58cdf36ed85ba/654afdbdc621e7037801cce7", "www.norad.mil (federal tracking tool used by attorneys, law firms, and private investigators 'licensed or unlicensed') hi!", "http://182.22.25.124:7878/182.22.25.124:443 (malicious dropper)", "http://init-p01st.push.apple.com/bag (malicious web creator)", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "sonymobilemail.com", "URLhaus Abuse.ch", "0-w5-cms.ultimate-guitar.com", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "pegahpouraseflaw.info", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "https://www.pornhub.com/video/search?search=tsara+brashears (Malicious PW cracker | stylebk.css stylesheets - not found )", "https://urlscan.io/result/a328d9ff-fb49-4078-960d-a757fd41404f/#indicators", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "apples.encryptedwork.com (Interesting in the blacknet)", "https://www.anyxxxtube.net/media/favicon/apple (password cracker and iOS hijacker)", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "fp2e7a.wpc.2be4.phicdn.net", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "http://pornhub.com/gay/video/search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing, ELF, Prism.exe found)", "api.utah.edu [access apple]", "www.anyxxxtube.net [malicious data collection]", "http://mouthgrave.net/index.php", "IPv4 45.12.253.72. command_and_control", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "g04c1c4343dff4977a4d6b22d125a1505f3d2798b3f3745bf853914b4d39f2f56.json", "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "Maltiverse Research Team", "init.ess.apple.com (malicious code script)", "IPv4 104.247.81.51 command_and_control", "http://appleid.icloud.com-website33.org/", "honey.exe", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "s3.amazonaws.com [targeting data collection]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "https://www.side3.com", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "Deep Research", "api.login.live.com", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "Abuse IPDB Link: https://www.abuseipdb.com/check/20.99.186.246", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9.json", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "happylifehappywife.com", "IPv4 45.15.156.208 command_and_control", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "www.icloud.com [wp-login.php]", "Hostname: www.supernetforme.com command_and_control", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "Intellectual property accessed and distributed", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "andrewka6.pythonanywhere.com [python connection - apple]", "CS Sigma Rules: Python Initiated Connection by frack113", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "webdisk.thehomemakers.nl [spyware | tracking]", "VirusTotal Link: https://www.virustotal.com/gui/ip-address/20.99.186.246/detection", "opencve.djgummikuh.de (CVE dispensary)", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "IPv4 95.213.186.51 command_and_control", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "message.htm.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "IPv4 103.224.182.246 command_and_control", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://side3.com/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "IPv4 72.251.233.245 command_and_control", "Collection VT - https://www.virustotal.com/gui/collection/70e122270a95cbc415c33faeb7d72d42b7864f4261dabb6e93c52af0fbc4d533", "ThreatFox Abuse.ch", "http://fillmark.net/index.php [phishing]", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "IPv4 63.251.106.25 command_and_control", "20.99.186.246 exploit source", "http://dyna.dnsever.com/download/DDNSClient_1.0.0.5.zip", "http://irc.zief.pl:81/gi.exe", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password cracker)", "Hostname: ddos.dnsnb8.net command_and_control", "Cyber Threat Coalition", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "https://www.apple.com/shop/browse/open/country_selector (exploit)", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "www-temp.metrobyt-mobile.com [malicious | data collection]", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "https://downloaddevtools.ir/ (phishing)", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635. (iOS unlocker and hijacker)", "Self whitelisting tool, domains moved within nginx.", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "ransomed.vc", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "tv.apple.com", "blutoothbotty", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "URLscan.io", "http://ambisexual.phone-sex-blogs.com/http:/ambisexual.phone-sex-blogs.com/images/thumbnails/pic118.jpg (phishing)", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lucky Mouse APT27 | NoName057(16) | Unnamed", "Out For Blood" ], "malware_families": [ "Heur/qvm41.2.da9b.malware", "Trojan.indiloadz", "Exploit.w32.agent", "Trojan.ransom.generickd", "Psw.agent", "Malwarebazzar", "Heur.bzc.yax.pantera.10", "Nemucod.a", "Trojanspy.python", "Trojan.trickster", "Generic.malware", "Njrat", "Heur:trojan.msoffice.alien", "Trojan.pws.agent", "Filerepmalware", "Dldr.agent", "Sality", "S-b748adc5", "Trojan.agent", "Gen:variant.zusy", "Phish.ab", "Gen:nn", "$webwatson", "Trojan.java", "Webmonitor rat", "Exploit cve-2017-11882", "Virus.win32.virut.q", "Cil.heapoverride", "Gen:nn.zemsilf.34128", "Heur:trojan.msoffice.stratos", "Gamehack.dom", "Suspicious.cloud", "Mbt", "Trojan:msil/burkina", "Gen:nn.zemsilf.34062", "Gen:heur.noobyprotect", "Trojan.cud.gen", "Trojan.php.agent", "Downloader.certutilurlcache", "Gen:nn.zexaf.32515", "Sgeneric", "Trojan.androm.gen", "Loki bot", "Domains", "Application.innovativsol", "Kuluoz.b.gen", "Trojan.wanna", "Gen:variant.ser.strictor", "Trojan.vbkryjetor", "Backdoor.xtreme", "Trojan.ekstak", "Sibot", "Emotet", "Adware.kuzitui", "Generic.servstart.a", "Agen.1030939", "Tscope.trojan", "Injector.clds", "Blacknet rat", "Malicious.3e78cc", "Ransom_wcry.smj", "W32.eheur", "Trojan.malware.121218", "Wacapew.c", "Ait.heur.cottonmouth.8.78f19bd7", "Suspicious.low.ml", "Worm.win64.autorun", "Psw.stealer", "Msil.downloader", "Pua.gen", "Malware.heur_generic.a", "Dropper.trojan.agent", "Gen:variant.kazy", "Program.unwanted", "Phish.jat", "Vb:trojan.valyria", "Loki password stealer (pws)", "Constructor.msil", "Riskware.hacktool.agent", "Heur:backdoor.msil.nanobot", "Ransom_wcry.smalym", "Agent.aik.gen", "Trojan.downloader.small-1607", "Malicious.f01f67", "Pua.reg1staid", "Adware.installmonetizer", "Maui ransomware", "Generic.msil.bladabindi", "Js:trojan.hidelink", "Powershell.downloader", "Hack.patcher", "Trojan.downloader.generic", "Trojanspy", "Spyware.bobik", "Backdoor.agent", "Auslogics", "Script.agent", "Agent.aso", "Unsafe.ai_score_100%", "Backdoor.poison", "Linux.agent", "Bladabindi.q", "Ramnit.n", "Trojan.heur", "Zbd zeus", "Html:script", "Trojan.killproc", "Gen:trojan.heur2.lptbhw@w64.hfsautob", "Presenoker", "Hacktool", "Webtoolbar", "Immortal stealer", "Sdbot.caoc", "Suspicious.save", "Dropper.trojan.generic", "Trickbot - s0266", "Application.searchprotect", "Agen.1144657", "Agen.1043164", "Susp.rtf.objupdate", "Azorult", "Opensubtitles.a", "Dropper.msil", "Behaveslike.exploit", "Agenttesla", "Goldmax", "Smokeloader", "Generic.malware.smyb", "Trojan.js.agent", "Powershell.trojan", "Unsafe", "W32.trojan", "Trojan.pornoasset", "Psw.discord", "Agent.nbae", "Riskware.netfilter", "Generic.trickbot.1", "Vba.downloader", "Win32/madang.c", "Pws-fczz", "Generic.bitcoinminer.3", "Cve-2015-1650", "Redline", "Macro.trojan.dropperd", "Heur:remoteadmin.generic", "Js:trojan.js.faceliker", "Gamehack.crs", "Backdoor.androm", "Msil.trojan.bse", "Packed-gv", "Index.php", "Scrinject.b", "Generic.msil.passwordstealer", "Bscope.riskware", "Redcap.zoohz", "Heur.vba.trojan", "Trojan.pws.growtopia", "Qvm201.0.b70b.malware", "Trojan.autoruns.generickds", "Hacktool.cheatengine", "Zbot", "States", "Gen:variant.jaiko", "Indiloadz.bb", "Tofsee", "Evo", "Packed.vmprotect", "Gen:variant.msilperseus", "Heur:trojan.linux.agent", "Trojan.delshad", "Agent.ypez", "Trojan.packednet", "Virus.office.qexvmc", "Gen:variant.barys", "Agen.1141126", "Trojan.notifier", "Ransom:win32/cve-2017-0147", "Trojan:vba/downldr", "Trojan.msil.injector", "Risktool.phpw", "Application.sqlcrack", "Virus.ramnit", "Il:trojan.msilzilla", "Redline stealer", "Bscope.trojan", "Possiblethreat.pallas", "Vb.downloader.2", "Behaveslike.ransom", "Cyber criminal", "Lumma", "Virtool", "Trojan.starter js.iframe", "Gen:variant.ulise", "Agen.1038489", "Html_redir.smr", "Troj_gen.r002c0og518", "Staticrr.paleokits.net", "Trojandownloader:linux/downldr", "Dropped:generic.ransom.dmr", "Vb.emodldr.4", "Xlm.trojan.abracadabra.27", "Redcap.rlhse", "Heur/qvm42.3.72eb.malware", "Exploit.msoffice", "Behavbehaveslike.pupxbi", "Emotet - s0367", "Packed.themida.gen", "Trojanspy.java", "Dropper.binder", "Faceliker.a", "Trojanspy.keylogger", "Kryptik.noe", "Kryptik.nrd", "W32.sality.pe", "Gen:variant.midie", "Vb.chronos.7", "Agent.pwc", "Agent tesla - s0331", "Gen:variant.cerbu", "Gen:variant.johnnie", "Riskware.agent", "Script.inf", "Gen:variant.sirefef", "Fragtor", "Vb:trojan.vba.agent", "Agent.aik.gencil.stupidcryptor", "Gen:variant.bulz", "Blacknet", "Trojan.tasker", "Suppobox", "Trojan.trickbot", "Delf.nbx", "Vb.pwshell.2", "Trojan.pws", "Trojandropper:win32", "Gen:heur.msil.inject", "Trojan.inject", "Gen:heur.ransom.hiddentears", "Tsgeneric", "Goldfinder", "Adware.downware", "Adload.ad81", "Backdoor.rbot", "Heur:webtoolbar.generic", "Backdoor.msil.agent", "Feodo", "Gen:variant.razy", "Exploit.cve", "Trojan.wisdomeyes.16070401.9500", "Trojan.psw.python", "Virus.3dmax.script", "Kryptik.gucb", "Trojan:python/downldr", "Hacktool.binder", "Skynet", "Malicious.11abfc", "Malicious.6e0700", "Malwarex", "Worm:win32/mydoom", "Susp.lnk", "Icefog", "Malicious.d800d6", "Redcap.vneda", "Apt notes", "Trojan.msil", "Quasar", "Trojan.win64", "Hw32.packed", "Ml.generic", "Heur:trojan.msil.tasker", "Downldr.gen", "Trojan.script", "Macro.downloader.amip", "Dridex", "Black.gen2", "Trojan.chapak", "Packed.asprotect", "Pws.p", "Trojan.psw.mimikatz", "Deepscan:generic.spyagent.6", "Phishing.html", "Malicious.8c45ba", "Maltiverse", "Ransom.win64.wacatac.oa", "Gen:heur.ransom.msil", "Ransomware", "Relic", "Generic.msil.limerat", "Malicious.moderate.ml", "Injector.jdo", "Zpevdo.b", "Js:trojan.js.likejack", "Deepscan:generic.ransom.amnesiae", "Macro.agent", "Generic.msil.grwtpstealer.1", "Trojan.ole2.vbs", "Virus.virut", "Trojan.python", "Malicious.71b1a8", "Riskware", "Backdoor.hupigon", "Vb.emooodldr.10", "Riskware.crack", "Trojan.vba", "Gamehack.nl", "Trojan.html.phish", "Gen:variant.graftor", "Heur:adware.startsurf", "Kryptik.fph.gen", "Hacktool.bruteforce", "Hoax.js.phish", "Wannacry", "Constructor.msil linux.agent", "Gen:variant.ursu", "Xegumumune.8596c22f", "Trojan.doc.downloader", "Js:iframe", "Bulz", "Gen:variant.mikey", "Artemis", "Malware.", "Formbook", "Trickbot", "Inmortal", "Trojan.malware.300983", "Suspicious_gen.f47v0520", "Heur:exploit.generic", "Locky", "Snh:script [dropper]", "Heur.msword.gen", "Wacatac.d6", "Injector.is.gen", "Fake ,promethiumm ,strongpity", "Dangerousobject.multi", "Wannacryptor", "Troj_frs.vsntfk19", "Js:trojan.clicker", "W32.aidetect", "Heur:trojan.ole2.alien", "Gen:heur.msil.androm", "Suspected of trojan.downloader.gen", "Cil.stupidcryptor", "Packed.netseal", "Generic", "Gen:variant.revengerat", "Malware.tk.generic", "Tulach", "Gen:variant.symmi", "Python.keylogger", "W32.aidetectvm", "Ransom.wannacrypt", "Ransom.win64.pornoasset.sm1", "Generic.asmalws", "Js:trojan.cryxos", "Pwsx", "Agen.1045227", "Trojan.generic", "Trojan:linux/downldr", "Malicious.high.ml", "Elf", "Heur:trojan.msoffice.sagent", "Tor - s0183", "Heur:trojan.tasker", "Deepscan:generic.ransom.gandcrab5", "Autoit.bimwt" ], "industries": [ "Civil society", "Telecommunications", "Technology", "Financial services data", "Media sharing", "Contaent delivery", "Recording industry", "Private sector", "Entertainment", "Healthcare", "Entertainers" ], "unique_indicators": 138252 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/chura.pl", "whois": "http://whois.domaintools.com/chura.pl", "domain": "chura.pl", "hostname": "ns2.chura.pl" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 34, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a1c74cf5f1af5be6464e", "name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t", "description": "", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:41:27.252000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": "65c4a099f6a2c8fc2bb85d4b", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a099f6a2c8fc2bb85d4b", "name": "Cyber espionage & ransomware attacks Denver Recording Studio", "description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:36:25.114000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715b49b95c13605856d6d0", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:42:33.281000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715ad29ac565164664960b", "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65715ad29ac565164664960b", "name": "InstallMate", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-07T05:40:34.888000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 210, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6572622bba87d8d105a7259f", "name": "Lazarus Group _ 192.229.211.108", "description": "", "modified": "2024-01-06T05:02:33.698000", "created": "2023-12-08T00:24:11.801000", "tags": [ "as15133 verizon", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "trojandropper", "body", "orgtechhandle", "orgid", "w jefferson", "blvd", "city", "los angeles", "stateprov", "postalcode", "sawyer", "kleinart", "mtb dec", "win32upatre dec", "win32qqpass dec", "entries", "date hash", "avast avg", "name verdict", "falcon sandbox", "generic malware", "tag count", "wed sep", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "generic", "noname057", "csv behavior", "text", "win32 dll", "win32 exe", "javascript", "office open", "xml document", "text iocs", "mario", "csv test", "python", "ip summary", "text query16752", "text edge", "type name", "services", "net192", "net1920000", "cidr", "nethandle", "orgabusehandle", "orgabusephone", "as14153", "contacted", "ssl certificate", "tsara brashears", "whois whois", "ransomware", "apple ios", "family", "roots", "lolkek", "tzw variants", "emotet", "bluenoroff", "lazarus", "dark power", "play ransomware", "makop", "attack", "core", "hacktool", "chaos", "ransomexx", "quasar", "njrat", "installer", "banker", "keylogger", "execution", "ermac", "metasploit", "relic", "monitoring", "qakbot", "thu nov", "url summary", "first", "cobalt strike", "strike cobalt", "malicious url", "tld count", "sun sep", "china cobalt", "strike", "cyber threat", "maltiverse", "malware site", "malicious host", "malware", "host", "phishing", "team", "exploit", "mirai", "pony", "nanocore", "bradesco", "suppobox", "laplasclipper", "asyncrat", "fakealert", "ramnit", "cisco umbrella", "site", "safe site", "heur", "malicious site", "alexa top", "million", "phishing site", "artemis", "unsafe", "riskware", "bank", "outbreak", "dropper", "trojanx", "turla", "installcore", "acint", "conduit", "installpack", "iobit", "mediaget", "crack", "iframe", "downldr", "agent", "presenoker", "alexa", "blacknet rat", "stealer", "unruy", "cleaner", "union", "dbatloader", "downloader", "blocker", "ransom", "autoit", "bladabindi", "trojan", "irata", "azorult", "service", "runescape", "facebook", "download", "genkryptik", "opencandy", "trojanspy", "relacionada", "referrer", "formbook", "blacklist http", "control server", "firehol", "botnet command", "http spammer", "mail spammer", "phishtank", "dnspionage", "betabot", "wormx", "redline stealer", "solimba", "zbot", "webtoolbar", "utc submissions", "submitters", "tot public", "company limited", "gandi sas", "ovh sas", "mb iesettings", "mb acrotray", "kb program", "team alexa", "quasar rat", "spammer", "team proxy", "ip reputation", "cins active", "online fri", "online sat", "sat apr", "temp", "windir", "kontakt", "antivirus", "sat jun", "gmt0600", "programdata", "regexpandsz d", "allusersprofile", "soar", "malicious", "programfiles", "sun jun", "mbt", "info api", "http", "redlinestealer", "score integrate", "siem", "tencent", "rc7 bypassed", "mon jun", "api sample", "hybridanalysis", "online sun", "fri jun", "tue apr", "code", "date", "hackers", "lumma stealer", "ursnif", "open" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "MBT", "display_name": "MBT", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "65715b49b95c13605856d6d0", "export_count": 234, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 882, "FileHash-SHA1": 497, "FileHash-SHA256": 3763, "URL": 3088, "hostname": 1203, "CIDR": 2, "domain": 680, "CVE": 9, "email": 13 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ns2.chura.pl", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ns2.chura.pl", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776649658.3694155 }