{ "type": "URL", "indicator": "https://onsapay.com/loaderR2", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://onsapay.com/loaderR2", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3771294415, "indicator": "https://onsapay.com/loaderR2", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6533120ed78adc8baa57b9d0", "name": "quick look at 79.12.165.51", "description": "", "modified": "2025-10-25T02:11:11.653000", "created": "2023-10-20T23:49:34.890000", "tags": [], "references": [ "https://www.virustotal.com/graph/g03fce3ad62f74ad59bbcda71bfdde96da39417641c9a470f99adfa9b14a7724c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 1650, "URL": 1744, "domain": 339, "email": 1, "hostname": 834, "CVE": 1 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6529c91a4f8f0c898f48088c", "name": "quick look at vk.com", "description": "", "modified": "2025-06-26T22:23:19.431000", "created": "2023-10-13T22:47:54.295000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 1981, "domain": 506, "hostname": 1258, "URL": 3080 }, "indicator_count": 6861, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8ec0568abca6f44e16f", "name": "quick look at vk.com", "description": "", "modified": "2023-12-06T17:01:32.275000", "created": "2023-12-06T17:01:32.275000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1981, "domain": 506, "hostname": 1262, "URL": 3080, "FileHash-MD5": 18, "FileHash-SHA1": 18 }, "indicator_count": 6865, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6533ed2685e0fc66ac0628bd", "name": "Network capture | Gather Victim Network Information | C2", "description": "Botnet. Spammer. BN campaigners. Victim name used for marketing BN and porn. This website contains age-restricted material and contains explicit depictions of sexual activity, but does not ask for permission to access or access any of the site's materials. \u00c2\u00a9 Mile High Distribution Inc", "modified": "2023-11-20T11:03:09.867000", "created": "2023-10-21T15:24:22.377000", "tags": [ "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "ssl certificate", "contacted", "whois record", "tsara brashears", "historical ssl", "apple", "password", "porn", "networks", "botnet campaign", "crypto", "installer", "attacker", "metro", "brazzers", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "maxage86400", "path", "html info", "title page", "found meta", "milehigh", "watch", "milfs", "trackers google", "analytics na", "name verdict", "falcon sandbox", "reports no", "specific", "pattern match", "file", "ascii text", "windows nt", "jpeg image", "united", "appdata", "jfif", "mitre att", "date", "unknown", "hybrid", "accept", "general", "local", "strings", "class", "critical", "error", "server", "email", "code", "whois privacy", "domain status", "registrar abuse", "registrar url", "registrar", "registry domain", "C2", "organization", "threat level", "windir", "getpost", "name server", "openurl c" ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "m1.sweetheartvideo.com [mailer!]", "mba3.sweetheartvideo.com [Server]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "browser.events.data.msn.com [sandbox and archive browser events]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4377, "FileHash-MD5": 128, "FileHash-SHA1": 127, "FileHash-SHA256": 2861, "domain": 829, "hostname": 1452, "CVE": 1, "email": 6 }, "indicator_count": 9781, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "881 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d4a989642696d13b34c", "name": "Network capture | Gather Victim Network Information | C2", "description": "", "modified": "2023-11-20T11:03:09.867000", "created": "2023-10-30T03:04:42.175000", "tags": [ "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "ssl certificate", "contacted", "whois record", "tsara brashears", "historical ssl", "apple", "password", "porn", "networks", "botnet campaign", "crypto", "installer", "attacker", "metro", "brazzers", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "maxage86400", "path", "html info", "title page", "found meta", "milehigh", "watch", "milfs", "trackers google", "analytics na", "name verdict", "falcon sandbox", "reports no", "specific", "pattern match", "file", "ascii text", "windows nt", "jpeg image", "united", "appdata", "jfif", "mitre att", "date", "unknown", "hybrid", "accept", "general", "local", "strings", "class", "critical", "error", "server", "email", "code", "whois privacy", "domain status", "registrar abuse", "registrar url", "registrar", "registry domain", "C2", "organization", "threat level", "windir", "getpost", "name server", "openurl c" ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "m1.sweetheartvideo.com [mailer!]", "mba3.sweetheartvideo.com [Server]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "browser.events.data.msn.com [sandbox and archive browser events]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": "6533ed2685e0fc66ac0628bd", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4377, "FileHash-MD5": 128, "FileHash-SHA1": 127, "FileHash-SHA256": 2861, "domain": 829, "hostname": 1452, "CVE": 1, "email": 6 }, "indicator_count": 9781, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "881 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "https://www.virustotal.com/graph/g03fce3ad62f74ad59bbcda71bfdde96da39417641c9a470f99adfa9b14a7724c", "m1.sweetheartvideo.com [mailer!]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "browser.events.data.msn.com [sandbox and archive browser events]", "mba3.sweetheartvideo.com [Server]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 20279 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/onsapay.com", "whois": "http://whois.domaintools.com/onsapay.com", "domain": "onsapay.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6533120ed78adc8baa57b9d0", "name": "quick look at 79.12.165.51", "description": "", "modified": "2025-10-25T02:11:11.653000", "created": "2023-10-20T23:49:34.890000", "tags": [], "references": [ "https://www.virustotal.com/graph/g03fce3ad62f74ad59bbcda71bfdde96da39417641c9a470f99adfa9b14a7724c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 1650, "URL": 1744, "domain": 339, "email": 1, "hostname": 834, "CVE": 1 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6529c91a4f8f0c898f48088c", "name": "quick look at vk.com", "description": "", "modified": "2025-06-26T22:23:19.431000", "created": "2023-10-13T22:47:54.295000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 1981, "domain": 506, "hostname": 1258, "URL": 3080 }, "indicator_count": 6861, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8ec0568abca6f44e16f", "name": "quick look at vk.com", "description": "", "modified": "2023-12-06T17:01:32.275000", "created": "2023-12-06T17:01:32.275000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1981, "domain": 506, "hostname": 1262, "URL": 3080, "FileHash-MD5": 18, "FileHash-SHA1": 18 }, "indicator_count": 6865, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6533ed2685e0fc66ac0628bd", "name": "Network capture | Gather Victim Network Information | C2", "description": "Botnet. Spammer. BN campaigners. Victim name used for marketing BN and porn. This website contains age-restricted material and contains explicit depictions of sexual activity, but does not ask for permission to access or access any of the site's materials. \u00c2\u00a9 Mile High Distribution Inc", "modified": "2023-11-20T11:03:09.867000", "created": "2023-10-21T15:24:22.377000", "tags": [ "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "ssl certificate", "contacted", "whois record", "tsara brashears", "historical ssl", "apple", "password", "porn", "networks", "botnet campaign", "crypto", "installer", "attacker", "metro", "brazzers", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "maxage86400", "path", "html info", "title page", "found meta", "milehigh", "watch", "milfs", "trackers google", "analytics na", "name verdict", "falcon sandbox", "reports no", "specific", "pattern match", "file", "ascii text", "windows nt", "jpeg image", "united", "appdata", "jfif", "mitre att", "date", "unknown", "hybrid", "accept", "general", "local", "strings", "class", "critical", "error", "server", "email", "code", "whois privacy", "domain status", "registrar abuse", "registrar url", "registrar", "registry domain", "C2", "organization", "threat level", "windir", "getpost", "name server", "openurl c" ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "m1.sweetheartvideo.com [mailer!]", "mba3.sweetheartvideo.com [Server]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "browser.events.data.msn.com [sandbox and archive browser events]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4377, "FileHash-MD5": 128, "FileHash-SHA1": 127, "FileHash-SHA256": 2861, "domain": 829, "hostname": 1452, "CVE": 1, "email": 6 }, "indicator_count": 9781, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "881 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d4a989642696d13b34c", "name": "Network capture | Gather Victim Network Information | C2", "description": "", "modified": "2023-11-20T11:03:09.867000", "created": "2023-10-30T03:04:42.175000", "tags": [ "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "ssl certificate", "contacted", "whois record", "tsara brashears", "historical ssl", "apple", "password", "porn", "networks", "botnet campaign", "crypto", "installer", "attacker", "metro", "brazzers", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "maxage86400", "path", "html info", "title page", "found meta", "milehigh", "watch", "milfs", "trackers google", "analytics na", "name verdict", "falcon sandbox", "reports no", "specific", "pattern match", "file", "ascii text", "windows nt", "jpeg image", "united", "appdata", "jfif", "mitre att", "date", "unknown", "hybrid", "accept", "general", "local", "strings", "class", "critical", "error", "server", "email", "code", "whois privacy", "domain status", "registrar abuse", "registrar url", "registrar", "registry domain", "C2", "organization", "threat level", "windir", "getpost", "name server", "openurl c" ], "references": [ "https://www.milehighmedia.com/legal/2257 exploit_source [Metro T-Mobile attacker. Brazzers | T]", "https://www.sweetheartvideo.com/tsara-brashears/ [Botnet tracking campaign, referrer]", "https://www.sweetheartvideo.com/tsara-brashears [Network ID]", "https://www.sweetheartvideo.com [Pattern match, Brashears]", "m1.sweetheartvideo.com [mailer!]", "mba3.sweetheartvideo.com [Server]", "https://www.hybrid-analysis.com/sample/a478360da159c358a804f1340f142fa2a0d689e02d743b71509e5e3921877a3e [Research Tool]", "Other", "browser.events.data.msn.com [sandbox and archive browser events]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" } ], "industries": [], "TLP": "white", "cloned_from": "6533ed2685e0fc66ac0628bd", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4377, "FileHash-MD5": 128, "FileHash-SHA1": 127, "FileHash-SHA256": 2861, "domain": 829, "hostname": 1452, "CVE": 1, "email": 6 }, "indicator_count": 9781, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "881 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://onsapay.com/loaderR2", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://onsapay.com/loaderR2", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639491.1655526 }