{ "type": "URL", "indicator": "https://partner.outlook.cn/SMTP.Send", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://partner.outlook.cn/SMTP.Send", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3768714198, "indicator": "https://partner.outlook.cn/SMTP.Send", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 24, "pulses": [ { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d147ac5afafb76f652ccfb", "name": "cyberfolks.pl / Hosting/ 185.208.164.121 / VPS / 94.152.11.60 / 193.218.154.51", "description": "The full text of the text-free version of Microsoft's Chrome browser can be viewed here:. \u00c2\u00a31.5m.. (\u20ac2.4m) \u20ac", "modified": "2024-12-16T22:19:24.841000", "created": "2024-08-30T04:16:44.939000", "tags": [ "vhash", "ssdeep", "digicert", "g2 firmy", "digicert g3", "entrust gwny", "gwny", "microsoft ecc", "microsoft azure", "ecc tls", "rsa tls", "microsoft rsa", "aoc ca", "digicert tls", "azure rsa", "eoc ca", "digicert cloud", "azure tls", "azure ecc", "xargs", "jeli", "azure", "authority", "java", "ms windows", "dziennik zdarze", "vista", "pe32", "intel", "defender", "systemy", "plik", "tekst ascii", "dane archiwalne", "ptime", "danie", "msie", "windows nt", "okrndata", "jzyk", "cieka", "sha1", "sha256", "imphasz", "pejzasz", "windows", "eurostile", "disk1", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "easy", "rada", "xanadu", "config", "reboot", "screen", "trash", "wersja pliku", "v2 dokument", "aaaa", "cname", "aaaaa", "whasz", "dostawa", "cache entry", "wav chrome", "gzip chrome", "text chrome", "woff chrome", "cab c", "lnk c", "doc c", "doc chrome", "ttf chrome" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6307, "hostname": 7851, "domain": 1282, "FileHash-MD5": 221, "FileHash-SHA256": 1346, "IPv4": 1437, "IPv6": 8, "FileHash-SHA1": 192, "email": 3, "CIDR": 8, "CVE": 2 }, "indicator_count": 18657, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb1a82b938d97fca42577b", "name": "http://sni.cloudflaressl.com/ SSL dla sni.com and Cloudflaressl.cloudflAressL.org", "description": "urz\u0105dzenie5695310-7a1dc9c7-local.wd2go.com\nurz\u0105dzenie4491421-0ffc7b50-local.wd2go.com", "modified": "2024-11-29T19:44:16.599000", "created": "2024-08-25T11:50:26.438000", "tags": [ "cloudflare", "read", "report", "zero trust", "contact", "sign", "view", "discover", "gartner magic", "quadrant", "protect", "enterprise", "fortune", "ssl certificate" ], "references": [ "http://sni.cloudflaressl.com/" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8863, "hostname": 2526, "domain": 3054, "FileHash-SHA256": 703, "FileHash-SHA1": 16, "IPv4": 227, "FileHash-MD5": 10, "IPv6": 8, "CVE": 2 }, "indicator_count": 15409, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "505 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cbb85a6cfde70987049f81", "name": "Hijacked Android: CryptInject | Dridex | Spyware", "description": "Hijacked basic android phone purchased in US directly from vendor not carrier. Spyware, SQL and other malware found. \nIt's a bit confusing IC3 is typically synonymous with United States FBI cyber security complaint division. Issue appear to be originating from China. This is interesting. Microsoft Teams CN have login, password, account, modification privileges as well as an 'audience'. \nVictim contacted IC3, received no response when contacting IC3 from personal devices. Calls are being made from phone as well as many other intrusive activities.\nOriginated from an IP address found on phone with a SWIPPER dba Verizon Business with a Hurricane Electric BGP relationship.", "modified": "2024-09-24T21:00:32.174000", "created": "2024-08-25T23:03:54.460000", "tags": [ "windows", "service", "shellexecuteexw", "writeconsolew", "registry", "modify existing", "dock", "write", "malware", "binary_yara", "yara rule", "binary file", "all scoreblue", "av detections", "ids detections", "yara detections", "alerts", "all search", "otx scoreblue", "analysis date", "risk", "show", "filehash", "april", "trojanspy", "file score", "june", "passive dns", "urls", "hostname", "url analysis", "domain", "china unknown", "as133775", "as4847 china", "united", "as4811 china", "as4837 china", "as54994 quantil", "as133774", "cname", "aaaa", "as20940", "registrar", "unknown related", "pulses otx", "tags", "present", "issuer cus", "odigicert inc", "road", "beijing country", "blue cloud", "apnic person", "cn phone", "ip information", "quick stats", "ip location", "china", "ltd asn", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "apnic irt", "beijing email", "whois lookups", "country", "filtered role", "abuse cnniccn", "algorithm", "key usage", "first", "v3 serial", "number", "cus odigicert", "inc cndigicert", "basic rsa", "cn ca", "g2 validity", "status hostname", "query type", "address first", "seen last", "country unknown", "files ip", "sql client", "historical ssl", "referrer", "win32", "entries", "scan endpoints", "pulse pulses", "copy" ], "references": [ "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:AGGR:Mytonel_Obfuscator", "display_name": "ALF:AGGR:Mytonel_Obfuscator", "target": null }, { "id": "Win.Malware.Generic-9870238-0", "display_name": "Win.Malware.Generic-9870238-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Malware.Zusy-9875693-0", "display_name": "Win.Malware.Zusy-9875693-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "target": null }, { "id": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "display_name": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1673, "FileHash-SHA1": 1344, "FileHash-SHA256": 3753, "domain": 224, "hostname": 613, "URL": 490, "email": 8, "CIDR": 1 }, "indicator_count": 8106, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a901fe2dbea9024b3d614", "name": "Black Tech", "description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.", "modified": "2024-09-24T00:01:38.502000", "created": "2023-10-14T12:57:03.183000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2449, "FileHash-SHA1": 217, "FileHash-SHA256": 3441, "URL": 2044, "domain": 258, "hostname": 1100, "CIDR": 1, "email": 4, "CVE": 37 }, "indicator_count": 9551, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a9123acb8410d1158f8a", "name": "DNSpionage", "description": "", "modified": "2023-12-06T17:02:10.861000", "created": "2023-12-06T17:02:10.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a90bc683765a535061dc", "name": "27 CVE Talley | GameHack l Beach Research", "description": "", "modified": "2023-12-06T17:02:03.119000", "created": "2023-12-06T17:02:03.119000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a903fc0836f148fa45c9", "name": "Oshanghai Blue", "description": "", "modified": "2023-12-06T17:01:55.465000", "created": "2023-12-06T17:01:55.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8fb83452e1699674c37", "name": "Black Tech", "description": "", "modified": "2023-12-06T17:01:47.488000", "created": "2023-12-06T17:01:47.488000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8e51a92ae866818d432", "name": "Apple link - Critical risk found", "description": "", "modified": "2023-12-06T17:01:25.538000", "created": "2023-12-06T17:01:25.538000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1090, "URL": 866, "hostname": 581, "domain": 101, "FileHash-MD5": 72, "FileHash-SHA1": 63 }, "indicator_count": 2773, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8d9de9710087f6f91b3", "name": "Apple - Malicious activities found in iOS link | verified cyber criminal. | CVE 2023-????", "description": "", "modified": "2023-12-06T17:01:13.202000", "created": "2023-12-06T17:01:13.202000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1090, "hostname": 427, "domain": 89, "URL": 545, "FileHash-MD5": 72, "FileHash-SHA1": 63 }, "indicator_count": 2286, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a857cae685fce7f5231e", "name": "Phishing - bam-cell.cell.nr-data.net", "description": "", "modified": "2023-12-06T16:59:03.209000", "created": "2023-12-06T16:59:03.209000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2052, "hostname": 1185, "domain": 460, "URL": 4294, "FileHash-MD5": 10, "FileHash-SHA1": 11 }, "indicator_count": 8013, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f19afc40e663452f60260", "name": "DNSpionage", "description": "", "modified": "2023-11-13T12:00:59.446000", "created": "2023-10-30T02:49:19.586000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "652a9637ba159a3febc414c4", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2420, "FileHash-SHA1": 189, "FileHash-SHA256": 3307, "URL": 1933, "domain": 255, "hostname": 1083, "CIDR": 1, "email": 4, "CVE": 27 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a9637ba159a3febc414c4", "name": "DNSpionage", "description": "", "modified": "2023-11-13T12:00:59.446000", "created": "2023-10-14T13:23:03.558000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "652a9441becbdf690c095816", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2420, "FileHash-SHA1": 189, "FileHash-SHA256": 3307, "URL": 1933, "domain": 255, "hostname": 1083, "CIDR": 1, "email": 4, "CVE": 27 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a9441becbdf690c095816", "name": "27 CVE Talley | GameHack l Beach Research", "description": "", "modified": "2023-11-13T12:00:59.446000", "created": "2023-10-14T13:14:41.530000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "652a901fe2dbea9024b3d614", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2420, "FileHash-SHA1": 189, "FileHash-SHA256": 3307, "URL": 1933, "domain": 255, "hostname": 1083, "CIDR": 1, "email": 4, "CVE": 27 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a913f48809612f1bd7deb", "name": "Oshanghai Blue ", "description": "", "modified": "2023-11-13T12:00:59.446000", "created": "2023-10-14T13:01:51.164000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "652a901fe2dbea9024b3d614", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2420, "FileHash-SHA1": 189, "FileHash-SHA256": 3307, "URL": 1933, "domain": 255, "hostname": 1083, "CIDR": 1, "email": 4, "CVE": 27 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1a3a03614354a606c383", "name": "Apple - Malicious activities found in iOS link | verified cyber criminal", "description": "", "modified": "2023-11-13T04:04:31.274000", "created": "2023-10-30T02:51:38.882000", "tags": [ "pattern match", "script", "beginstring", "mitre att", "file", "ck id", "show technique", "ck matrix", "indicator", "ascii text", "date", "null", "unknown", "error", "span", "class", "critical", "refresh", "body", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "meta", "http response", "final url", "serving ip", "address", "name verdict", "falcon sandbox", "detection list", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6529abecabb0de583aad0aa3", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 707, "FileHash-MD5": 276, "FileHash-SHA1": 263, "FileHash-SHA256": 4615, "domain": 108, "hostname": 1292 }, "indicator_count": 7261, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6529abecabb0de583aad0aa3", "name": "Apple - Malicious activities found in iOS link | verified cyber criminal. | CVE 2023-????", "description": "Very curious issue found in previous pulse.\nCyber warfare.\nUnspecified legal entities & verified cyber criminals?\nWorking together? Unverified.\ntargets:\ntsara brashears - verified\nsong culture - verified\nkedence - verified\nSkype - verified\nmessages - verified\napple iTunes - verified\nCVE? Pay me.\nInvolves legal entities targeting an individual, business and associates after an alleged physical SA attack of a female according to published sources. \nAppears to be silencing. Overwhelming amount of threats found online.\n\nTests calls tracking me now\nD241 test successful/ DOS/ hacker initiated.\nSilencing me now. Verifiable\nRed Teams, attorneys, verified cyber criminals, IC3 China IP. Malicious\nIP origination appears to be US. Bounces.\nNeeds further research.", "modified": "2023-11-13T04:04:31.274000", "created": "2023-10-13T20:43:24.771000", "tags": [ "pattern match", "script", "beginstring", "mitre att", "file", "ck id", "show technique", "ck matrix", "indicator", "ascii text", "date", "null", "unknown", "error", "span", "class", "critical", "refresh", "body", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "meta", "http response", "final url", "serving ip", "address", "name verdict", "falcon sandbox", "detection list", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 707, "FileHash-MD5": 276, "FileHash-SHA1": 263, "FileHash-SHA256": 4615, "domain": 108, "hostname": 1292 }, "indicator_count": 7261, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1c14640441b2e0b7ec5e", "name": "Apple link - Critical risk found", "description": "", "modified": "2023-11-13T03:03:18.483000", "created": "2023-10-30T02:59:32.811000", "tags": [ "pattern match", "script", "beginstring", "mitre att", "file", "ck id", "show technique", "ck matrix", "indicator", "ascii text", "date", "null", "unknown", "error", "span", "class", "critical", "refresh", "body", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "meta", "http response", "final url", "serving ip", "address", "name verdict", "falcon sandbox", "detection list", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6529ac30efd59e5ff6f5f709", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2291, "FileHash-MD5": 225, "FileHash-SHA1": 213, "FileHash-SHA256": 3746, "domain": 159, "hostname": 1922 }, "indicator_count": 8556, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6529ac30efd59e5ff6f5f709", "name": "Apple link - Critical risk found ", "description": "", "modified": "2023-11-13T03:03:18.483000", "created": "2023-10-13T20:44:32.429000", "tags": [ "pattern match", "script", "beginstring", "mitre att", "file", "ck id", "show technique", "ck matrix", "indicator", "ascii text", "date", "null", "unknown", "error", "span", "class", "critical", "refresh", "body", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "meta", "http response", "final url", "serving ip", "address", "name verdict", "falcon sandbox", "detection list", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6529abecabb0de583aad0aa3", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2291, "FileHash-MD5": 225, "FileHash-SHA1": 213, "FileHash-SHA256": 3746, "domain": 159, "hostname": 1922 }, "indicator_count": 8556, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6524f2a85b4dd064922b8c7a", "name": "Phishing - bam-cell.cell.nr-data.net", "description": "Phishing\nAPT's\nAnonymization\nProxy: FireHOL\ncloud collector-newrelic\nG0032 - Lazarus Group 03/2023\nAS23467 New Relic", "modified": "2023-11-09T05:05:01.692000", "created": "2023-10-10T06:43:52.526000", "tags": [ "whois record", "contacted", "ssl certificate", "parent", "historical ssl", "communicating", "siblings", "execution", "resolutions", "collections", "malicious", "generic malware", "hybridanalysis", "fri jan", "mon jan", "date filename", "blacklist fri", "install league", "legends", "fri dec", "sun jan", "allusersprofile", "osuser", "dns requests", "process list", "gamesmetadata", "cisco umbrella", "site", "mon jul", "online thu", "safe site", "malware", "cname", "record type", "ttl value", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "sha256", "ca1 odigicert", "inc validity", "relic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4294, "FileHash-MD5": 10, "FileHash-SHA1": 11, "FileHash-SHA256": 2052, "domain": 460, "hostname": 1185, "CVE": 1 }, "indicator_count": 8013, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f155cf81da97fd82bba62", "name": "Phishing - bam-cell.cell.nr-data.net", "description": "", "modified": "2023-11-09T05:05:01.692000", "created": "2023-10-30T02:30:52.720000", "tags": [ "whois record", "contacted", "ssl certificate", "parent", "historical ssl", "communicating", "siblings", "execution", "resolutions", "collections", "malicious", "generic malware", "hybridanalysis", "fri jan", "mon jan", "date filename", "blacklist fri", "install league", "legends", "fri dec", "sun jan", "allusersprofile", "osuser", "dns requests", "process list", "gamesmetadata", "cisco umbrella", "site", "mon jul", "online thu", "safe site", "malware", "cname", "record type", "ttl value", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "sha256", "ca1 odigicert", "inc validity", "relic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6524f2a85b4dd064922b8c7a", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4294, "FileHash-MD5": 10, "FileHash-SHA1": 11, "FileHash-SHA256": 2052, "domain": 460, "hostname": 1185, "CVE": 1 }, "indicator_count": 8013, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf", "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://sni.cloudflaressl.com/", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://www.forensickb.com/2013/03/file-entropy-explained.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "TrojanDownloader:Win32/Nemucod" ], "malware_families": [ "Alf:aggr:mytonel_obfuscator", "Zbot", "Webtoolbar", "Generic", "Gamehack", "Win.malware.zusy-9875693-0", "Trojanspy", "Alf:heraklezeval:trojandownloader:win32/dridex!rfn", "Behav", "Beach research", "Maltiverse", "Alf:heraklezeval:trojanspy:win32/rebhip.f", "Win.malware.generic-9870238-0", "Alf:jasyp:virtool:msil/cryptinject!atmn" ], "industries": [], "unique_indicators": 77290 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/outlook.cn", "whois": "http://whois.domaintools.com/outlook.cn", "domain": "outlook.cn", "hostname": "partner.outlook.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 24, "pulses": [ { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d147ac5afafb76f652ccfb", "name": "cyberfolks.pl / Hosting/ 185.208.164.121 / VPS / 94.152.11.60 / 193.218.154.51", "description": "The full text of the text-free version of Microsoft's Chrome browser can be viewed here:. \u00c2\u00a31.5m.. (\u20ac2.4m) \u20ac", "modified": "2024-12-16T22:19:24.841000", "created": "2024-08-30T04:16:44.939000", "tags": [ "vhash", "ssdeep", "digicert", "g2 firmy", "digicert g3", "entrust gwny", "gwny", "microsoft ecc", "microsoft azure", "ecc tls", "rsa tls", "microsoft rsa", "aoc ca", "digicert tls", "azure rsa", "eoc ca", "digicert cloud", "azure tls", "azure ecc", "xargs", "jeli", "azure", "authority", "java", "ms windows", "dziennik zdarze", "vista", "pe32", "intel", "defender", "systemy", "plik", "tekst ascii", "dane archiwalne", "ptime", "danie", "msie", "windows nt", "okrndata", "jzyk", "cieka", "sha1", "sha256", "imphasz", "pejzasz", "windows", "eurostile", "disk1", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "easy", "rada", "xanadu", "config", "reboot", "screen", "trash", "wersja pliku", "v2 dokument", "aaaa", "cname", "aaaaa", "whasz", "dostawa", "cache entry", "wav chrome", "gzip chrome", "text chrome", "woff chrome", "cab c", "lnk c", "doc c", "doc chrome", "ttf chrome" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6307, "hostname": 7851, "domain": 1282, "FileHash-MD5": 221, "FileHash-SHA256": 1346, "IPv4": 1437, "IPv6": 8, "FileHash-SHA1": 192, "email": 3, "CIDR": 8, "CVE": 2 }, "indicator_count": 18657, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb1a82b938d97fca42577b", "name": "http://sni.cloudflaressl.com/ SSL dla sni.com and Cloudflaressl.cloudflAressL.org", "description": "urz\u0105dzenie5695310-7a1dc9c7-local.wd2go.com\nurz\u0105dzenie4491421-0ffc7b50-local.wd2go.com", "modified": "2024-11-29T19:44:16.599000", "created": "2024-08-25T11:50:26.438000", "tags": [ "cloudflare", "read", "report", "zero trust", "contact", "sign", "view", "discover", "gartner magic", "quadrant", "protect", "enterprise", "fortune", "ssl certificate" ], "references": [ "http://sni.cloudflaressl.com/" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8863, "hostname": 2526, "domain": 3054, "FileHash-SHA256": 703, "FileHash-SHA1": 16, "IPv4": 227, "FileHash-MD5": 10, "IPv6": 8, "CVE": 2 }, "indicator_count": 15409, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "505 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cbb85a6cfde70987049f81", "name": "Hijacked Android: CryptInject | Dridex | Spyware", "description": "Hijacked basic android phone purchased in US directly from vendor not carrier. Spyware, SQL and other malware found. \nIt's a bit confusing IC3 is typically synonymous with United States FBI cyber security complaint division. Issue appear to be originating from China. This is interesting. Microsoft Teams CN have login, password, account, modification privileges as well as an 'audience'. \nVictim contacted IC3, received no response when contacting IC3 from personal devices. Calls are being made from phone as well as many other intrusive activities.\nOriginated from an IP address found on phone with a SWIPPER dba Verizon Business with a Hurricane Electric BGP relationship.", "modified": "2024-09-24T21:00:32.174000", "created": "2024-08-25T23:03:54.460000", "tags": [ "windows", "service", "shellexecuteexw", "writeconsolew", "registry", "modify existing", "dock", "write", "malware", "binary_yara", "yara rule", "binary file", "all scoreblue", "av detections", "ids detections", "yara detections", "alerts", "all search", "otx scoreblue", "analysis date", "risk", "show", "filehash", "april", "trojanspy", "file score", "june", "passive dns", "urls", "hostname", "url analysis", "domain", "china unknown", "as133775", "as4847 china", "united", "as4811 china", "as4837 china", "as54994 quantil", "as133774", "cname", "aaaa", "as20940", "registrar", "unknown related", "pulses otx", "tags", "present", "issuer cus", "odigicert inc", "road", "beijing country", "blue cloud", "apnic person", "cn phone", "ip information", "quick stats", "ip location", "china", "ltd asn", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "apnic irt", "beijing email", "whois lookups", "country", "filtered role", "abuse cnniccn", "algorithm", "key usage", "first", "v3 serial", "number", "cus odigicert", "inc cndigicert", "basic rsa", "cn ca", "g2 validity", "status hostname", "query type", "address first", "seen last", "country unknown", "files ip", "sql client", "historical ssl", "referrer", "win32", "entries", "scan endpoints", "pulse pulses", "copy" ], "references": [ "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:AGGR:Mytonel_Obfuscator", "display_name": "ALF:AGGR:Mytonel_Obfuscator", "target": null }, { "id": "Win.Malware.Generic-9870238-0", "display_name": "Win.Malware.Generic-9870238-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Malware.Zusy-9875693-0", "display_name": "Win.Malware.Zusy-9875693-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "target": null }, { "id": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "display_name": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1673, "FileHash-SHA1": 1344, "FileHash-SHA256": 3753, "domain": 224, "hostname": 613, "URL": 490, "email": 8, "CIDR": 1 }, "indicator_count": 8106, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a901fe2dbea9024b3d614", "name": "Black Tech", "description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.", "modified": "2024-09-24T00:01:38.502000", "created": "2023-10-14T12:57:03.183000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2449, "FileHash-SHA1": 217, "FileHash-SHA256": 3441, "URL": 2044, "domain": 258, "hostname": 1100, "CIDR": 1, "email": 4, "CVE": 37 }, "indicator_count": 9551, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a9123acb8410d1158f8a", "name": "DNSpionage", "description": "", "modified": "2023-12-06T17:02:10.861000", "created": "2023-12-06T17:02:10.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a90bc683765a535061dc", "name": "27 CVE Talley | GameHack l Beach Research", "description": "", "modified": "2023-12-06T17:02:03.119000", "created": "2023-12-06T17:02:03.119000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a903fc0836f148fa45c9", "name": "Oshanghai Blue", "description": "", "modified": "2023-12-06T17:01:55.465000", "created": "2023-12-06T17:01:55.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://partner.outlook.cn/SMTP.Send", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://partner.outlook.cn/SMTP.Send", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776611097.6708083 }