{ "type": "URL", "indicator": "https://penis.disabled.racing/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://penis.disabled.racing/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3164932596, "indicator": "https://penis.disabled.racing/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69f2dc7e076cbfe2d0f7eb90", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-30T04:37:18.870000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a141c15cfec672ba39e6a17", "name": "S0094 clone credit score blue ", "description": "", "modified": "2026-05-25T10:03:13.774000", "created": "2026-05-25T09:53:25.429000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": "6665d55d941729c5f283b3f7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2951, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17067, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2dc7db0bb5c5cdaec5a6c", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-04-30T04:53:09.713000", "created": "2026-04-30T04:37:17.546000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "260 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b4f1234e20d1551dd7647a", "name": "Boratoken - x.com | Ransom | SnakeKeylogger | X.com redirect | Brian Sabey search results", "description": "Aggressively malicious x.com template.\nIntroduction: ' I was surprised to find this' regarding Google Phish of a 'Samuel Tulach' @X.Com Discussion: Exodus/ Cellebrite/Pegasus/NSO, Brian Sabey,etc,.\nImpacts at least 1 single individual, virustotal, Twitter/x.com.", "modified": "2024-09-07T22:38:23.513000", "created": "2024-08-08T16:24:02.550000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "all scoreblue", "pulse use", "domain", "ipv4", "url http", "url https", "cidr", "email", "ipv6", "code", "pdf report", "contact", "contacted", "registrar abuse", "phishing", "malware beacon", "x com", "twitter", "ransomware", "pyinstaller", "trojanspy", "trojan", "borpa", "samas", "formbook", "formbook cnc", "vtflooder", "namecheap", "'m nudie", "remote job", "get her work", "false files", "pornhub", "aaaa", "proofpoint", "are you hiring", "unknown", "united", "asnone united", "creation date", "search", "germany unknown", "expiration date", "date", "showing", "as61969 team", "body", "meta", "code", "screenshot", "servers", "server", "web attack" ], "references": [ "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "http://borpatoken.com/", "netflix.com Akamai rank: #6", "phyn.app", "https://phyn.app/assets/images/Netflix-Background-phyn-dark.png", "pornhero.net 'we don't need another hero, hero, hero...' No Expiration\t0\t URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/ No Expiration\t14\t URL https://8muses.info/simpsons-porn/simpsons-special-bigboy/", "https://twitter.com/PORNO_SEXYBABES [Twitter Tsara Brashears related]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "x.com related: www.pornhub.com", "Twitter/ X.xom related: https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/", "TAGS: api call app store as13414 twitter as15133 verizon as16625 akamai as18450 as20940 as2914 ntt as397240 as397241 asnone ca issuers", "TAGS: camaro dragon canada click cloudfront cname co number code contact content content gmt copy crlf line cyber defense", "TAGS: email expiry gmt false file files final url for privacy form format malware beacon meta http meta tags namecheap inc", "TAGS: passive dns pattern match title page trojandropper united 12110kb aaaa add tag adversary tags", "TAGS: all scoreblue analyzer apache autoit borpa browser canada cidr ck id ck matrix code code contact contacted", "TAGS: create new domain email expiration filehashmd5 formbook cnc get google phish green hackers hackers heroku hostname", "TAGS: iocs layoutid8 malware nameaul namecheap next no expiration pcap pdf report pegasus topic phish phishing", "TAGS: photoshop prefs privacy service provider public tlp pulse provide pulse use pyinstaller", "TAGS: ransom ransomware red team registrar abuse roboto samas samuel tulach scan endpoints", "TAGS: screenshot snake snake keylogger suspicious template trojan downloader trojanspy tulach url http url https x template x verce" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 500, "FileHash-SHA1": 485, "FileHash-SHA256": 1177, "URL": 1033, "SSLCertFingerprint": 4, "domain": 801, "hostname": 1139, "email": 14, "CIDR": 2 }, "indicator_count": 5155, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66762a4ccb10185d774ddbde", "name": "Lazarus Group - Emotet | Sony Music", "description": "Is the Lazarus Group still attacking Sony Music, affiliated, former, contacts, aspiring prospects and independent artists?\n\nA Denver Studio owner had former Sony leadership role was fully infected with Pegasus, Mirai and a Lazarus Group affiliation seen. An independent Denver publishing company and artists were greatly targeted and continue to be. A songwriter known to have recorded at Denver Studio had songs pirated. Tori Kelly and Justin Bieber recorded over chops copy written by artist. Strangely legally affiliated. A rumor suggests Lazarus group & Anonymous are hacker made up of government employees, police officers, attorneys and PI's. The government affiliated IP's are give rumors some weight. Hackers will hack anything, \nMost popular beliefs are artist was targeted and therefore the studio where she target worked from often. Denver Studio report scrubbed by HistoryKillerPro & other Unknown Stealers.", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T01:35:08.834000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667648f0bc130bdaa294ea19", "name": "Sony Music | Emotet - Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T03:45:52.401000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "66762a4ccb10185d774ddbde", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f340f8c0223ae0ce199d", "name": "Bitdefender Ransomware| | Sony Music | Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-07-01T00:07:28.402000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "667648f0bc130bdaa294ea19", "export_count": 6847, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "netflix.com Akamai rank: #6", "x.com related: www.pornhub.com", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "ww12.indianpornxxxtube.com", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "http://borpatoken.com/", "https://twitter.com/PORNO_SEXYBABES [Twitter Tsara Brashears related]", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "TAGS: camaro dragon canada click cloudfront cname co number code contact content content gmt copy crlf line cyber defense", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "TAGS: passive dns pattern match title page trojandropper united 12110kb aaaa add tag adversary tags", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Found in: https://Side3.com/", "https://phyn.app/assets/images/Netflix-Background-phyn-dark.png", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "pornhero.net 'we don't need another hero, hero, hero...' No Expiration\t0\t URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/ No Expiration\t14\t URL https://8muses.info/simpsons-porn/simpsons-special-bigboy/", "TAGS: email expiry gmt false file files final url for privacy form format malware beacon meta http meta tags namecheap inc", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "CVE-2023-22518 | CVE-2023-4966", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "phyn.app", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "http://mobilesmafia.com/applications/botnet.ex", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Ransomware File Modifications Exec Crash", "Server: Web redirection - http://loki.com/download", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "TAGS: create new domain email expiration filehashmd5 formbook cnc get google phish green hackers hackers heroku hostname", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "TAGS: api call app store as13414 twitter as15133 verizon as16625 akamai as18450 as20940 as2914 ntt as397240 as397241 asnone ca issuers", "TAGS: screenshot snake snake keylogger suspicious template trojan downloader trojanspy tulach url http url https x template x verce", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "Assurance", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Twitter/ X.xom related: https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/", "pornhub.org", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "TAGS: all scoreblue analyzer apache autoit borpa browser canada cidr ck id ck matrix code code contact contacted", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "TAGS: ransom ransomware red team registrar abuse roboto samas samuel tulach scan endpoints", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "Contains Pe Overlay Queries Locale Api Language Check Registry", "TAGS: iocs layoutid8 malware nameaul namecheap next no expiration pcap pdf report pegasus topic phish phishing", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "TAGS: photoshop prefs privacy service provider public tlp pulse provide pulse use pyinstaller", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus Group", "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly," ], "malware_families": [ "Trojan:win32/startpage.ss", "Win32/cryptor", "Alf:jasyp:trojandownloader:win32/karagany!atmn", "Virtool:win32/obfuscator.jm", "Virtool:win32/ceeinject", "Trojan:win32/remcosrat", "Win.trojan.mbrlock-9779766-0", "Worm:win32/lightmoon.h", "Backdoor:msil/bladabindi", "Win32:evo-gen\\ [susp]", "Generic_r.byw", "Win.trojan.darkkomet-1", "Win.packed.pincav-7537597-0", "Trojan.karagany - s0094", "Trojan:win32/vflooder", "Sheur4.ceoo", "Quasar rat", "Win32:inject-bcl\\ [trj]", "Win32/tanatos.a", "#lowfi:suspicioussectionname", "W32.sality-73", "Ransomexx", "Mirai", "Win32:evo-gen", "Artro", "Hacktool", "Win.trojan.xtoober-650", "Win32:karagany-d\\ [trj]", "Win.trojan.cycbot-1584", "Win32:evo-gen\\ [trj]", "Win.trojan.agent-828507" ], "industries": [ "Healthcare", "Media", "Finance - insurance sector", "Telecommunications", "Technology", "Entertainment" ], "unique_indicators": 98122 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/disabled.racing", "whois": "http://whois.domaintools.com/disabled.racing", "domain": "disabled.racing", "hostname": "penis.disabled.racing" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69f2dc7e076cbfe2d0f7eb90", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-30T04:37:18.870000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a141c15cfec672ba39e6a17", "name": "S0094 clone credit score blue ", "description": "", "modified": "2026-05-25T10:03:13.774000", "created": "2026-05-25T09:53:25.429000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": "6665d55d941729c5f283b3f7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2951, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17067, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2dc7db0bb5c5cdaec5a6c", "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]", "description": "", "modified": "2026-04-30T04:53:09.713000", "created": "2026-04-30T04:37:17.546000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": "66fc29a49b5ac693c8d75122", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3851, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3330, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "260 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b4f1234e20d1551dd7647a", "name": "Boratoken - x.com | Ransom | SnakeKeylogger | X.com redirect | Brian Sabey search results", "description": "Aggressively malicious x.com template.\nIntroduction: ' I was surprised to find this' regarding Google Phish of a 'Samuel Tulach' @X.Com Discussion: Exodus/ Cellebrite/Pegasus/NSO, Brian Sabey,etc,.\nImpacts at least 1 single individual, virustotal, Twitter/x.com.", "modified": "2024-09-07T22:38:23.513000", "created": "2024-08-08T16:24:02.550000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "all scoreblue", "pulse use", "domain", "ipv4", "url http", "url https", "cidr", "email", "ipv6", "code", "pdf report", "contact", "contacted", "registrar abuse", "phishing", "malware beacon", "x com", "twitter", "ransomware", "pyinstaller", "trojanspy", "trojan", "borpa", "samas", "formbook", "formbook cnc", "vtflooder", "namecheap", "'m nudie", "remote job", "get her work", "false files", "pornhub", "aaaa", "proofpoint", "are you hiring", "unknown", "united", "asnone united", "creation date", "search", "germany unknown", "expiration date", "date", "showing", "as61969 team", "body", "meta", "code", "screenshot", "servers", "server", "web attack" ], "references": [ "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "http://borpatoken.com/", "netflix.com Akamai rank: #6", "phyn.app", "https://phyn.app/assets/images/Netflix-Background-phyn-dark.png", "pornhero.net 'we don't need another hero, hero, hero...' No Expiration\t0\t URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/ No Expiration\t14\t URL https://8muses.info/simpsons-porn/simpsons-special-bigboy/", "https://twitter.com/PORNO_SEXYBABES [Twitter Tsara Brashears related]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "x.com related: www.pornhub.com", "Twitter/ X.xom related: https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/", "TAGS: api call app store as13414 twitter as15133 verizon as16625 akamai as18450 as20940 as2914 ntt as397240 as397241 asnone ca issuers", "TAGS: camaro dragon canada click cloudfront cname co number code contact content content gmt copy crlf line cyber defense", "TAGS: email expiry gmt false file files final url for privacy form format malware beacon meta http meta tags namecheap inc", "TAGS: passive dns pattern match title page trojandropper united 12110kb aaaa add tag adversary tags", "TAGS: all scoreblue analyzer apache autoit borpa browser canada cidr ck id ck matrix code code contact contacted", "TAGS: create new domain email expiration filehashmd5 formbook cnc get google phish green hackers hackers heroku hostname", "TAGS: iocs layoutid8 malware nameaul namecheap next no expiration pcap pdf report pegasus topic phish phishing", "TAGS: photoshop prefs privacy service provider public tlp pulse provide pulse use pyinstaller", "TAGS: ransom ransomware red team registrar abuse roboto samas samuel tulach scan endpoints", "TAGS: screenshot snake snake keylogger suspicious template trojan downloader trojanspy tulach url http url https x template x verce" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 500, "FileHash-SHA1": 485, "FileHash-SHA256": 1177, "URL": 1033, "SSLCertFingerprint": 4, "domain": 801, "hostname": 1139, "email": 14, "CIDR": 2 }, "indicator_count": 5155, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66762a4ccb10185d774ddbde", "name": "Lazarus Group - Emotet | Sony Music", "description": "Is the Lazarus Group still attacking Sony Music, affiliated, former, contacts, aspiring prospects and independent artists?\n\nA Denver Studio owner had former Sony leadership role was fully infected with Pegasus, Mirai and a Lazarus Group affiliation seen. An independent Denver publishing company and artists were greatly targeted and continue to be. A songwriter known to have recorded at Denver Studio had songs pirated. Tori Kelly and Justin Bieber recorded over chops copy written by artist. Strangely legally affiliated. A rumor suggests Lazarus group & Anonymous are hacker made up of government employees, police officers, attorneys and PI's. The government affiliated IP's are give rumors some weight. Hackers will hack anything, \nMost popular beliefs are artist was targeted and therefore the studio where she target worked from often. Denver Studio report scrubbed by HistoryKillerPro & other Unknown Stealers.", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T01:35:08.834000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667648f0bc130bdaa294ea19", "name": "Sony Music | Emotet - Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T03:45:52.401000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "66762a4ccb10185d774ddbde", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f340f8c0223ae0ce199d", "name": "Bitdefender Ransomware| | Sony Music | Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-07-01T00:07:28.402000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "667648f0bc130bdaa294ea19", "export_count": 6847, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://penis.disabled.racing/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://penis.disabled.racing/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780211891.5690665 }