{ "type": "URL", "indicator": "https://origin-test.bdn.dev", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://origin-test.bdn.dev", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3746623183, "indicator": "https://origin-test.bdn.dev", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "68feb98a8c1b75b4431a3e8e", "name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?", "description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.", "modified": "2025-11-25T20:05:31.749000", "created": "2025-10-27T00:15:06.191000", "tags": [ "html internet", "html document", "ascii text", "language", "cve202323397", "iframe tags", "tag manager", "gtmkvjvztk", "anchor hrefs", "info ta0011", "protocol", "layer protocol", "port", "t1571 encrypted", "channel", "t1573 malware", "tree", "oc0006 http", "c0014", "get http", "dns resolutions", "resolved ips", "user", "data", "datacrashpad", "edge", "v full", "reports v", "chrome u", "appdata local", "googlechrome u", "u ser", "cname", "ip address", "http", "accept", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "extraction", "suggested iocs", "data upload", "cry dee", "stop", "type", "url indicator", "enter", "failed", "se share", "extrac", "enter so", "passive dns", "urls", "hostname add", "pulse pulses", "files", "domain", "files ip", "address", "location united", "asn as20473", "dynamicloader", "directui", "write c", "intel", "ms windows", "pe32", "element", "delete c", "document file", "v2 document", "explorer", "trojandropper", "write", "markus", "august", "movie", "insert", "pulse submit", "url analysis", "asn as8068", "united", "entries", "body", "please", "x msedge", "ipv4 add", "present sep", "present oct", "present feb", "status", "unknown ns", "search", "name servers", "present jul", "aaaa", "present apr", "trojan", "medium", "high", "yara rule", "globalc", "june", "malware", "win64", "unknown", "america flag", "twitter", "hostname", "domain add", "reverse dns", "america asn", "present aug", "a domains", "moved", "first pqc", "unknown aaaa", "title", "meta", "window", "encrypt", "pulse indicator", "body doctype", "welcome", "ok server", "gmt content", "atlanta", "abuse", "agent", "service", "present jun", "present may", "creation date", "record value", "servers", "libretv meta", "certificate", "value", "whois lookup", "loopia ab", "userlolxxl" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wannacry", "display_name": "Wannacry", "target": null }, { "id": "Foundry", "display_name": "Foundry", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb", "display_name": "Trojan:Win32/Comisproc!gmb", "target": "/malware/Trojan:Win32/Comisproc!gmb" }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "#Exploit:Win32/CVE- 2023 - 23397", "display_name": "#Exploit:Win32/CVE- 2023 - 23397", "target": "/malware/#Exploit:Win32/CVE- 2023 - 23397" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "ALF:PulZati:Worm:Win32/Mydoom", "display_name": "ALF:PulZati:Worm:Win32/Mydoom", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 8, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 248, "FileHash-SHA1": 134, "FileHash-SHA256": 2661, "URL": 6257, "domain": 682, "email": 8, "hostname": 2077, "CVE": 1 }, "indicator_count": 12068, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d75bdc4bc5ba5cb6df7fb", "name": "2nd X - https://ldl.myqnascloud.com/ - DT_VMP_32", "description": "*Malware: DT_VMP_32 -associated with non specific trojan or ransomware activity, widely-known malware family with (custom) unique names.\n\u2022 pid-bodis-gcontrol151 |\u2022 googledownloads.cn\nServer or central repository used to target Tsara Brashears , \n into a malicious w/botnet world. Parked domains used w/malicious intent though appearing benign or \u2018for sale\u2019. \n\nDetections: \nSuspicious User-Agent - Possible Trojan Downloader (https)\nHTTP Request to a *.tw domain\n#bodis #targeting #parkingcrews #active #content_delivery #malvertizing #content_scraping #malware #attacks #dumping #framing #webcache #colbaltstrike #trojan_downloader #disabler #distributor #music_piracy #domainfraud #ransom", "modified": "2025-09-01T01:01:18.030000", "created": "2025-08-02T02:19:41.646000", "tags": [ "cisco", "umbrella rank", "domain", "general full", "united", "reverse dns", "software", "kb script", "url https", "asn15169", "google", "resource", "hash", "value", "variables", "domainpath name", "name value", "august", "servaas klute", "americachicago", "verified", "ecdsa", "linux x8664", "khtml", "gecko", "aes128gcm", "maxradlinklen50", "encrypt", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "spawns", "mitre att", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "pattern match", "show technique", "body", "date", "hybrid", "general", "path", "click", "strings", "meta", "present jul", "search", "entries", "ip address", "registrar", "creation date", "record value", "name servers", "servers", "found a", "location united", "asn as15169", "less whois", "mtb apr", "trojan", "trojandropper", "backdoor", "win32qqpass apr", "next associated", "files show", "date hash", "avast avg", "ipv4", "pulse pulses", "passive dns", "urls", "files", "hacktool", "ipv4 add", "virtool", "present aug", "present feb", "present jan", "gmt location", "gmt max", "certificate", "showing", "cowboy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2209, "domain": 801, "URL": 6114, "FileHash-SHA256": 2162, "FileHash-MD5": 184, "FileHash-SHA1": 187, "CIDR": 3, "SSLCertFingerprint": 2, "email": 1, "CVE": 2 }, "indicator_count": 11665, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665182d791bfc08412ec2c0a", "name": "Shadow Pad | Appears as investigation of an infirmed non criminal", "description": "ShadowPad is a modular backdoor attack platform that uses an ecosystem of plugins. It stealthily infiltrates target systems and provides attackers with capabilities to gather data execute commands, interacts with the file system and registry, and deploys new modules to extend functionality controlling the compromised systems remotely.\n\nElderly ill target cannot summon help.\n*Forced Updates for Google Chrome\n*Browser bar plug-in. \nRedirects calls to OOS phone message who;e call is still dialing\n*Emergency calls are always answered by 'police communication' at every given time of the day there are no police , ambulance, or any help available. They have already left for the day. \n*Nefarious user has on UTC time.\n Merits further investigation.", "modified": "2024-06-24T05:01:31.025000", "created": "2024-05-25T06:19:03.896000", "tags": [ "threat roundup", "historical ssl", "referrer", "socs", "water dybbuk", "a bec", "actor using", "service", "privateloader", "blacknet rat", "shadowpad", "algorithm", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "aaaa", "record type", "ttl value", "cname", "server", "domain status", "google llc", "registrar abuse", "registrar", "admin country", "ca creation", "dnssec", "subdomains", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "first", "name verdict", "falcon sandbox", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "sha1", "sha256", "severity", "ascii text", "hybrid", "local", "click", "strings", "contact", "isoscope", "malicious", "Trojan:PDF/Owaphish.A", "android", "cisco", "show", "create c", "related pulses", "copy", "search", "peter pdf", "modifydate", "hacker playbook", "practical guide", "write", "trojan", "format", "core", "united", "unknown", "passive dns", "scan endpoints", "all scoreblue", "urls", "files", "none related", "miles", "all search", "otx scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "abuse", "pentest", "127.0.0.1" ], "references": [ "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE CVE-2023-3519", "display_name": "RCE CVE-2023-3519", "target": null }, { "id": "Trojan:PDF/Owaphish.A", "display_name": "Trojan:PDF/Owaphish.A", "target": "/malware/Trojan:PDF/Owaphish.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 97, "FileHash-SHA1": 93, "FileHash-SHA256": 822, "domain": 166, "URL": 571, "hostname": 252, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 2012, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "711 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b4cea3e6da3a00306ae11", "name": "Ragnar Locker | Cowrie Hash", "description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.", "modified": "2024-02-06T23:04:54.022000", "created": "2024-01-08T01:16:26.884000", "tags": [ "contacted", "pe resource", "execution", "problems", "alienvault part", "dropped", "kgs0", "kls0", "collections", "schema abuse", "iframe", "united", "as29791", "search", "entries", "passive dns", "urls", "service", "date", "unknown", "japan unknown", "body", "czechia unknown", "sinkhole", "emotet", "date hash", "avast avg", "mtb dec", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "samples", "tulach", "tulach.cc", "sabey data center", "malware server", "gorf", "set cookie", "united kingdom", "script urls", "trojan", "status", "showing", "cookie", "template", "johnnsabey", "briansabey", "data center", "choco", "name", "win32 exe", "domains", "registrar", "markmonitor inc", "ip detections", "country", "us execution", "parents", "whois record", "whois whois", "ssl certificate", "apple ios", "red team", "tsara brashears", "historical ssl", "hacktool", "copy", "malicious", "life", "unsafe", "server", "registrar abuse", "contact phone", "domain status", "registrar whois", "email", "registry domain", "registry expiry", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "show", "free", "recon", "benjamin", "write", "worm", "win32", "june", "delphi", "code", "malware", "next", "using", "urls http", "benjamin", "nids", "cowrie hashes", "dns replication", "files", "sample", "sender", "us postal", "cowrie", "iranian actor", "shipping", "healthcare", "ragnar locker", "qakbot", "qbot", "pii", "phi", "privacy", "honeypot", "referrer", "spyware", "android", "nanocore", "banker", "keylogger" ], "references": [ "choco.exe", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "http://security.didici.cc/cve", "https://whois.domaintools.com/gov1.info", "https://nsa.gov1.info/utah-data-center/", "https://github.com/cowrie/cowrie", "Cowrie (honeypot) - Wikipedia", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware" ], "public": 1, "adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "ALF:Win32/GbdInf_123DF591.J!ibt", "display_name": "ALF:Win32/GbdInf_123DF591.J!ibt", "target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt" }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "ALF:SpikeAexR.SECTHDR", "display_name": "ALF:SpikeAexR.SECTHDR", "target": null }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Ragnar Locker", "display_name": "Ragnar Locker", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null }, { "id": "NanCore RAY", "display_name": "NanCore RAY", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "Healthcare", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 347, "FileHash-SHA1": 222, "FileHash-SHA256": 6645, "hostname": 2744, "URL": 9123, "domain": 3065, "email": 4 }, "indicator_count": 22150, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a127b18f314c64abf0ca", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information", "description": "", "modified": "2023-12-06T16:28:23.639000", "created": "2023-12-06T16:28:23.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11eb966ec5b823d2ae8", "name": "Drive By Malware", "description": "", "modified": "2023-12-06T16:28:14.217000", "created": "2023-12-06T16:28:14.217000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11966ff39f73aed8c7d", "name": "Fileless Malware", "description": "", "modified": "2023-12-06T16:28:09.128000", "created": "2023-12-06T16:28:09.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee7075f37dad88d73c3830", "name": "Fileless Malware", "description": "An example of 1 dangerous exploit. \nThis happened on Brand New fully updated locked down Apple iPhone, Samsung. If you happen to be looking at your phone, you may witness the following: Google logo on appengine.goohke .com Drive By will have a disclaimer that it is NOT affiliate.\nYou will see:\nhttps://accounts.google.com/AccountChooser?continue\nAll of your Gmail accounts will be displayed your primary account will be checked. The drive by happens at tspeed of 2 -3 seconds. Without clicking, your entire phone is compromised. Every account, locations, maps, YouTube, voice, camera, , keyloggers installed. This is not your fault. You are a target. There are empty hashes. It's fileless malware which does not write to storage. \nPhishing, malware hosting, other IoC s.\nExtremely hazardous, renders phone a zombie. New network and data plan all without your explicit consent.\nWelcome to the BotNetwork.\nhttp://appengine.google.com/\naccounts.google.com\nconsent.google.com/m?---- (Forced Consent on iOS device)", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:25:53.474000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee70f9eaecf035471ff80c", "name": "Drive By Malware ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:28:09.867000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee7075f37dad88d73c3830", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64eed9e039cd84d4b7b9aa54", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-30T05:55:44.012000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee70f9eaecf035471ff80c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://github.com/cowrie/cowrie", "Virustotal - google.com.uy", "FormBook IP: 142.251.211.243", "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "Yara Detections PEtite24", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "http://security.didici.cc/cve", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "http://www.jelenia-gora.so.gov.pl/", "https://whois.domaintools.com/gov1.info", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "https://www.jelenia-gora.sr.gov.pl/spacer", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://nsa.gov1.info/utah-data-center/", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://waf.intelix.pl/957476/Chat/Script/Compatibility", "nr-data.net [Apple Private Data Collection]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "checkip.dyndns.org [command and control]", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "https://www.jelenia-gora.so.gov.pl/", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "144.76.108.82 [scanning host]", "Cowrie (honeypot) - Wikipedia", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033", "choco.exe", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin" ], "malware_families": [ "", "Rce cve-2023-3519", "Ragnar locker", "Trojan:win32/comisproc!gmb", "#exploit:win32/cve- 2023 - 23397", "Nancore ray", "Ransom:win32/stopcrypt.ak!mtb", "Worm", "Qakbot", "Win.trojan.tofsee-9770082-1", "Trojan:msil/trojandropper", "Emotet", "Alf:trojan:win32/cassini_f28c33a2!ibt", "Worm:win32/benjamin", "Hacktool", "Tulach", "Win32:dropperx-gen\\ [drp]", "Sabey", "Alf:ransom:win32/babax.sg!mtb", "Alf:trojan:msil/agenttesla.km", "Alf:spikeaexr.secthdr", "Alf:heraklezeval:trojan:win32/clipbanker , , alf:trojan:win32/autorun.pi!mtb , alf:trojan:win32/cassini_6d4ebdc9!ibt", "Trojan:pdf/owaphish.a", "Tofsee", "Alf:pulzati:worm:win32/mydoom", "Sova", "Sf:agent-dq\\ [trj]", "Wannacry", "Alf:heraklezeval:ransom:msil/gorf", "Installer", "Serwer", "Pegasus", "Alf:trojan:win32/cassini_ade36583!ibt", "Trojandownloader:win32/upatre!rfn", "Foundry", "Trojan", "Qbot", "Hallrender", "Alf:win32/gbdinf_123df591.j!ibt", "Trojandropper:win32/vb.il" ], "industries": [ "Insurance", "Healthcare" ], "unique_indicators": 125209 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bdn.dev", "whois": "http://whois.domaintools.com/bdn.dev", "domain": "bdn.dev", "hostname": "origin-test.bdn.dev" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "68feb98a8c1b75b4431a3e8e", "name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?", "description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.", "modified": "2025-11-25T20:05:31.749000", "created": "2025-10-27T00:15:06.191000", "tags": [ "html internet", "html document", "ascii text", "language", "cve202323397", "iframe tags", "tag manager", "gtmkvjvztk", "anchor hrefs", "info ta0011", "protocol", "layer protocol", "port", "t1571 encrypted", "channel", "t1573 malware", "tree", "oc0006 http", "c0014", "get http", "dns resolutions", "resolved ips", "user", "data", "datacrashpad", "edge", "v full", "reports v", "chrome u", "appdata local", "googlechrome u", "u ser", "cname", "ip address", "http", "accept", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "extraction", "suggested iocs", "data upload", "cry dee", "stop", "type", "url indicator", "enter", "failed", "se share", "extrac", "enter so", "passive dns", "urls", "hostname add", "pulse pulses", "files", "domain", "files ip", "address", "location united", "asn as20473", "dynamicloader", "directui", "write c", "intel", "ms windows", "pe32", "element", "delete c", "document file", "v2 document", "explorer", "trojandropper", "write", "markus", "august", "movie", "insert", "pulse submit", "url analysis", "asn as8068", "united", "entries", "body", "please", "x msedge", "ipv4 add", "present sep", "present oct", "present feb", "status", "unknown ns", "search", "name servers", "present jul", "aaaa", "present apr", "trojan", "medium", "high", "yara rule", "globalc", "june", "malware", "win64", "unknown", "america flag", "twitter", "hostname", "domain add", "reverse dns", "america asn", "present aug", "a domains", "moved", "first pqc", "unknown aaaa", "title", "meta", "window", "encrypt", "pulse indicator", "body doctype", "welcome", "ok server", "gmt content", "atlanta", "abuse", "agent", "service", "present jun", "present may", "creation date", "record value", "servers", "libretv meta", "certificate", "value", "whois lookup", "loopia ab", "userlolxxl" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wannacry", "display_name": "Wannacry", "target": null }, { "id": "Foundry", "display_name": "Foundry", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb", "display_name": "Trojan:Win32/Comisproc!gmb", "target": "/malware/Trojan:Win32/Comisproc!gmb" }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "#Exploit:Win32/CVE- 2023 - 23397", "display_name": "#Exploit:Win32/CVE- 2023 - 23397", "target": "/malware/#Exploit:Win32/CVE- 2023 - 23397" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "ALF:PulZati:Worm:Win32/Mydoom", "display_name": "ALF:PulZati:Worm:Win32/Mydoom", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 8, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 248, "FileHash-SHA1": 134, "FileHash-SHA256": 2661, "URL": 6257, "domain": 682, "email": 8, "hostname": 2077, "CVE": 1 }, "indicator_count": 12068, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d75bdc4bc5ba5cb6df7fb", "name": "2nd X - https://ldl.myqnascloud.com/ - DT_VMP_32", "description": "*Malware: DT_VMP_32 -associated with non specific trojan or ransomware activity, widely-known malware family with (custom) unique names.\n\u2022 pid-bodis-gcontrol151 |\u2022 googledownloads.cn\nServer or central repository used to target Tsara Brashears , \n into a malicious w/botnet world. Parked domains used w/malicious intent though appearing benign or \u2018for sale\u2019. \n\nDetections: \nSuspicious User-Agent - Possible Trojan Downloader (https)\nHTTP Request to a *.tw domain\n#bodis #targeting #parkingcrews #active #content_delivery #malvertizing #content_scraping #malware #attacks #dumping #framing #webcache #colbaltstrike #trojan_downloader #disabler #distributor #music_piracy #domainfraud #ransom", "modified": "2025-09-01T01:01:18.030000", "created": "2025-08-02T02:19:41.646000", "tags": [ "cisco", "umbrella rank", "domain", "general full", "united", "reverse dns", "software", "kb script", "url https", "asn15169", "google", "resource", "hash", "value", "variables", "domainpath name", "name value", "august", "servaas klute", "americachicago", "verified", "ecdsa", "linux x8664", "khtml", "gecko", "aes128gcm", "maxradlinklen50", "encrypt", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "spawns", "mitre att", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "pattern match", "show technique", "body", "date", "hybrid", "general", "path", "click", "strings", "meta", "present jul", "search", "entries", "ip address", "registrar", "creation date", "record value", "name servers", "servers", "found a", "location united", "asn as15169", "less whois", "mtb apr", "trojan", "trojandropper", "backdoor", "win32qqpass apr", "next associated", "files show", "date hash", "avast avg", "ipv4", "pulse pulses", "passive dns", "urls", "files", "hacktool", "ipv4 add", "virtool", "present aug", "present feb", "present jan", "gmt location", "gmt max", "certificate", "showing", "cowboy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2209, "domain": 801, "URL": 6114, "FileHash-SHA256": 2162, "FileHash-MD5": 184, "FileHash-SHA1": 187, "CIDR": 3, "SSLCertFingerprint": 2, "email": 1, "CVE": 2 }, "indicator_count": 11665, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665182d791bfc08412ec2c0a", "name": "Shadow Pad | Appears as investigation of an infirmed non criminal", "description": "ShadowPad is a modular backdoor attack platform that uses an ecosystem of plugins. It stealthily infiltrates target systems and provides attackers with capabilities to gather data execute commands, interacts with the file system and registry, and deploys new modules to extend functionality controlling the compromised systems remotely.\n\nElderly ill target cannot summon help.\n*Forced Updates for Google Chrome\n*Browser bar plug-in. \nRedirects calls to OOS phone message who;e call is still dialing\n*Emergency calls are always answered by 'police communication' at every given time of the day there are no police , ambulance, or any help available. They have already left for the day. \n*Nefarious user has on UTC time.\n Merits further investigation.", "modified": "2024-06-24T05:01:31.025000", "created": "2024-05-25T06:19:03.896000", "tags": [ "threat roundup", "historical ssl", "referrer", "socs", "water dybbuk", "a bec", "actor using", "service", "privateloader", "blacknet rat", "shadowpad", "algorithm", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "aaaa", "record type", "ttl value", "cname", "server", "domain status", "google llc", "registrar abuse", "registrar", "admin country", "ca creation", "dnssec", "subdomains", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "first", "name verdict", "falcon sandbox", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "sha1", "sha256", "severity", "ascii text", "hybrid", "local", "click", "strings", "contact", "isoscope", "malicious", "Trojan:PDF/Owaphish.A", "android", "cisco", "show", "create c", "related pulses", "copy", "search", "peter pdf", "modifydate", "hacker playbook", "practical guide", "write", "trojan", "format", "core", "united", "unknown", "passive dns", "scan endpoints", "all scoreblue", "urls", "files", "none related", "miles", "all search", "otx scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "abuse", "pentest", "127.0.0.1" ], "references": [ "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE CVE-2023-3519", "display_name": "RCE CVE-2023-3519", "target": null }, { "id": "Trojan:PDF/Owaphish.A", "display_name": "Trojan:PDF/Owaphish.A", "target": "/malware/Trojan:PDF/Owaphish.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 97, "FileHash-SHA1": 93, "FileHash-SHA256": 822, "domain": 166, "URL": 571, "hostname": 252, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 2012, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "711 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b4cea3e6da3a00306ae11", "name": "Ragnar Locker | Cowrie Hash", "description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.", "modified": "2024-02-06T23:04:54.022000", "created": "2024-01-08T01:16:26.884000", "tags": [ "contacted", "pe resource", "execution", "problems", "alienvault part", "dropped", "kgs0", "kls0", "collections", "schema abuse", "iframe", "united", "as29791", "search", "entries", "passive dns", "urls", "service", "date", "unknown", "japan unknown", "body", "czechia unknown", "sinkhole", "emotet", "date hash", "avast avg", "mtb dec", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "samples", "tulach", "tulach.cc", "sabey data center", "malware server", "gorf", "set cookie", "united kingdom", "script urls", "trojan", "status", "showing", "cookie", "template", "johnnsabey", "briansabey", "data center", "choco", "name", "win32 exe", "domains", "registrar", "markmonitor inc", "ip detections", "country", "us execution", "parents", "whois record", "whois whois", "ssl certificate", "apple ios", "red team", "tsara brashears", "historical ssl", "hacktool", "copy", "malicious", "life", "unsafe", "server", "registrar abuse", "contact phone", "domain status", "registrar whois", "email", "registry domain", "registry expiry", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "show", "free", "recon", "benjamin", "write", "worm", "win32", "june", "delphi", "code", "malware", "next", "using", "urls http", "benjamin", "nids", "cowrie hashes", "dns replication", "files", "sample", "sender", "us postal", "cowrie", "iranian actor", "shipping", "healthcare", "ragnar locker", "qakbot", "qbot", "pii", "phi", "privacy", "honeypot", "referrer", "spyware", "android", "nanocore", "banker", "keylogger" ], "references": [ "choco.exe", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "http://security.didici.cc/cve", "https://whois.domaintools.com/gov1.info", "https://nsa.gov1.info/utah-data-center/", "https://github.com/cowrie/cowrie", "Cowrie (honeypot) - Wikipedia", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware" ], "public": 1, "adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "ALF:Win32/GbdInf_123DF591.J!ibt", "display_name": "ALF:Win32/GbdInf_123DF591.J!ibt", "target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt" }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "ALF:SpikeAexR.SECTHDR", "display_name": "ALF:SpikeAexR.SECTHDR", "target": null }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Ragnar Locker", "display_name": "Ragnar Locker", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null }, { "id": "NanCore RAY", "display_name": "NanCore RAY", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "Healthcare", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 347, "FileHash-SHA1": 222, "FileHash-SHA256": 6645, "hostname": 2744, "URL": 9123, "domain": 3065, "email": 4 }, "indicator_count": 22150, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a127b18f314c64abf0ca", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information", "description": "", "modified": "2023-12-06T16:28:23.639000", "created": "2023-12-06T16:28:23.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11eb966ec5b823d2ae8", "name": "Drive By Malware", "description": "", "modified": "2023-12-06T16:28:14.217000", "created": "2023-12-06T16:28:14.217000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11966ff39f73aed8c7d", "name": "Fileless Malware", "description": "", "modified": "2023-12-06T16:28:09.128000", "created": "2023-12-06T16:28:09.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://origin-test.bdn.dev", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://origin-test.bdn.dev", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638713.1699197 }