{ "type": "URL", "indicator": "https://ros.weixiao.video", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ros.weixiao.video", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3964235444, "indicator": "https://ros.weixiao.video", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "6a0a0e71af8047801da346a8", "name": "Credit: Skocherhan \"gh0st shadows\" clone [ty sk]", "description": "", "modified": "2026-05-20T08:57:02.834000", "created": "2026-05-17T18:52:33.147000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6a09f8a35ce1c4ed81629523", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 520, "hostname": 534, "URL": 487, "IPv4": 17, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "CIDR": 2, "email": 2 }, "indicator_count": 1586, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a09f8a35ce1c4ed81629523", "name": "gh0st shadows", "description": "msudosos, have a look", "modified": "2026-05-17T17:19:31.602000", "created": "2026-05-17T17:19:31.602000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 342, "hostname": 405, "URL": 437 }, "indicator_count": 1184, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d68458f57b670809385981", "name": "x.com | Hijacking | Tulach | State of Colorado | [scoreblue]", "description": "", "modified": "2026-04-08T16:37:44.951000", "created": "2026-04-08T16:37:44.951000", "tags": [ "x.com", "x vercel", "x template", "verizon block", "show", "registrar abuse", "pulse provide", "pornhub", "namecheap", "mitre att", "get tsara brashears search results", "aaaa", "false files", "cyber defense attack", "contacted", "contact", "brian sabey topics", "adversary tags", "all scoreblue beazzers brian sabey search result", "tulach topics", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "search", "medium", "trojan", "copy", "write", "win32", "malware", "levelblue", "open threat", "crouching yeti", "trojanspy", "trojandropper", "denver police x.com 'template'", "remote job" ], "references": [ "Source: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_", "Issue pulsing MITRE ATT&CK's", "MITRE ATT&CK: T1003.008 - /etc/passwd and /etc/shadow", "MITRE ATT&CK: T1021 - Remote Services", "MITRE ATT&CK: T1010 - Application Window Discovery", "MITRE ATT&CK: T1027 - Obfuscated Files or Information", "MITRE ATT&CK: T1031 - Modify Existing Service", "MITRE ATT&CK: T1036.004 - Masquerade Task or Service", "MITRE ATT&CK: T1045 - Software Packing", "MITRE ATT&CK: T1051 - Shared Webroot", "MITRE ATT&CK: T1055 - Process Injection", "MITRE ATT&CK: T1056.001 - Keylogging", "MITRE ATT&CK: T1056 - Input Capture", "MITRE ATT&CK: T1057 - Process Discovery", "MITRE ATT&CK: T1059 - Command and Scripting Interpreter", "MITRE ATT&CK: T1063 - Security Software Discovery", "MITRE ATT&CK: T1068 - Exploitation for Privilege Escalation", "MITRE ATT&CK: T1070 - Indicator Removal", "MITRE ATT&CK: T1070.005 - Network Share Connection Removal", "MITRE ATT&CK: T1071 - Application Layer Protocol", "MITRE ATT&CK: T1080 - Taint Shared Content", "MITRE ATT&CK: T1082 - System Information Discovery", "MITRE ATT&CK: T1083 - File and Directory Discovery", "MITRE ATT&CK: T1090 - Proxy", "MITRE ATT&CK: T1622 - Debugger Evasion", "MITRE ATT&CK: T1105 - Ingress Tool Transfer", "MITRE ATT&CK: T1106 - Native API", "MITRE ATT&CK: T1119 - Automated Collection", "MITRE ATT&CK: T1120 - Peripheral Device Discovery", "MITRE ATT&CK: T1129 - Shared Modules", "MITRE ATT&CK: T1140 - Deobfuscate/Decode Files or Information", "MITRE ATT&CK: T1210 - Exploitation of Remote Services", "MITRE ATT&CK: T1472 - Generate Fraudulent Advertising Revenue", "MITRE ATT&CK: T1547 - Boot or Logon Autostart Execution", "MITRE ATT&CK: T1553 - Subvert Trust Controls", "MITRE ATT&CK: T1573 - Encrypted Channel", "MITRE ATT&CK: T1574 - Hijack Execution Flow", "MITRE ATT&CK: T1614 - System Location Discovery", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.B", "display_name": "Trojan:Win32/Vflooder.B", "target": "/malware/Trojan:Win32/Vflooder.B" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "66b4cb43e069e1aee086c0fd", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 104, "FileHash-SHA1": 102, "FileHash-SHA256": 232, "URL": 298, "domain": 38, "hostname": 158 }, "indicator_count": 932, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "53 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c08b488620dac7697026c7", "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud", "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc. Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware", "modified": "2024-10-15T14:02:54.772000", "created": "2024-08-17T11:36:40.810000", "tags": [ "microsoft edge", "iocs", "alberta ndp", "security", "vc rescue", "disk", "apple", "google", "windows", "powershell", "security https", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "site", "cisco umbrella", "alexa top", "blacklist", "million", "mail spammer", "firehol", "ip address", "noname057", "anonymizer", "firehol proxy", "proxy", "india mail", "malware", "full name", "first", "v3 serial", "number", "cus odigicert", "global tls", "rsa4096 sha256", "ca1 validity", "subject public", "key info", "dns replication", "date", "script script", "as12912", "a domains", "a li", "poland unknown", "t mobile", "domains", "przejd", "passive dns", "authority", "meta", "accept", "cname", "record type", "ttl value", "aaaa", "poland", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "location poland", "asnone united", "moved", "location", "vary", "accept encoding", "content type", "virtool", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "as39198", "body", "window", "certificate", "hostname", "unknown", "red bull", "script urls", "as2828 verizon", "ireland unknown", "gmt content", "as8068", "as8075", "servers", "creation date", "united", "trojan", "trojan features", "win32", "msr aug", "urls", "reverse dns", "trojandropper", "historical ssl", "referrer", "infiltrate", "threat network", "malicious", "snapchat", "eternal blue", "sneaky simay", "groups", "covert", "probe", "whois lookup", "domain name", "united", "as15169 google", "a nxdomain", "germany", "dynamicloader", "yara rule", "high", "medium", "port", "dynamic", "domain", "file name", "pcap", "copy", "url host", "port method", "user agent", "okrnserver", "002000", "hit tcpmemhit", "algorithm", "data", "cus oentrust", "entrust", "l1k validity", "cpl lwarszawa", "ot mobile", "status", "name servers", "as6354", "mtb aug", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "location united", "win32 exe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "vs2010", "info compiler", "products", "vs2008", "header intel", "name md5", "type", "language", "ascii text", "cyrillic", "registrar of", "domain names", "ii llc", "contacted", "file type", "mb file", "graph", "ip detections", "country", "type name", "network", "tsara brashears", "december", "typhon reborn", "speakez securus", "hacktool", "emotet", "formbook", "critical", "installer", "tofsee", "hiddentear", "cnc", "email collection", "apple data", "data collection", "tsara brashears", "for privacy", "record value", "emails", "expiration date", "swipper", "tulach", "aitm", "query", "observed dns", "activity dns", "total", "google llc", "pe32", "write", "april", "defender", "otx telemetry", "win32cve aug", "polska s", "copyright", "levelblue", "dashboard", "pulse submit", "url analysis", "as20940", "as16625 akamai", "entrustdns", "france", "entries", "refresh", "443 ma2592000", "net174", "net1740000", "mcics", "read c", "write c", "tlsv1", "default", "module load", "execution", "dock", "persistence", "xport", "redacted for", "privacy tech", "privacy admin", "organization", "postal code", "stateprovince", "server", "registrar abuse", "code", "high priority", "critical", "CVE-2023-29059" ], "references": [ "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "record-viewer-application.hcahealthcare.cloud", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Tulach IP: 114.114.114.114", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/BlackMon", "display_name": "Trojan:Win32/BlackMon", "target": "/malware/Trojan:Win32/BlackMon" }, { "id": "Trojan:Win32/Fakefolder", "display_name": "Trojan:Win32/Fakefolder", "target": "/malware/Trojan:Win32/Fakefolder" }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Healthcare", "Technology", "Civilian Society", "Telecommunications", "Networking" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1975, "FileHash-SHA1": 1731, "FileHash-SHA256": 4646, "URL": 636, "domain": 283, "hostname": 798, "email": 12, "CVE": 3, "SSLCertFingerprint": 2 }, "indicator_count": 10086, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "594 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccbb1146fb07a45b6b97fe", "name": "Android Remotely Cracked: Swipper? | Being Sabey links found. Framing?", "description": "Targets phone and other devices cracked remotely. Phone calls made to a family member by phone. Some clues left behind.\n1 clue:mike@softwarezpro1.txt\nLong Link:http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States\u00aeion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Stop! Swipper, Brian Sabey, Tulach, whoever you are. Arrest Jeffrey Reimer Scott DPT for groping breasts, V, assaulting so hard it separated victims hips and SI joint, Spinal Cord Injury length of spine. He literally assaulted her brain out. TBI with Arnold's Chiari. Demyelination from brain to toes. He never denied this to Employers. Hi, DPD Major crimes God Bless you...about the report?", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-26T17:27:45.763000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1629, "FileHash-MD5": 4822, "URL": 2002, "email": 18, "hostname": 1725, "FileHash-SHA1": 3921, "FileHash-SHA256": 9019, "URI": 1 }, "indicator_count": 23137, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "594 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "596 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e01dc0fd31b731b2d5dac7", "name": "Cloudflade Botnet \u00bb | 1.1.1.1 | Warp.Plus? | smlpp.monster | Mirai", "description": "This issue may only affect those already in Botnet/s. DoS.Bad login requests .dead host, CnC,\nELF:Mirai-GH\\ [Trj] ,\nMirai ,\nNIDS m\nTrojan:Win32/Danabot", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:21:52.428000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e01e7b6a0bc2abe0d6c0d1", "name": "Cloudflare Botnet- https://otx.alienvault.com/pulse/66e01dc0fd31b731b2d5dac7", "description": "", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:24:59.035000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66e01dc0fd31b731b2d5dac7", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b4cb43e069e1aee086c0fd", "name": "x.com | Hijacking - Mitre ATT&CK", "description": "Topic: 'Samuel Tulach' @X.Com Discussion: \" \"Surprised\" to find name associated with;Exodus/ Cellebrite/Pegasus/NSO Brian Sabey\n\nREFERENCE:\nhttps://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-08T13:42:27.134000", "tags": [ "x.com", "x vercel", "x template", "verizon block", "show", "registrar abuse", "pulse provide", "pornhub", "namecheap", "mitre att", "get tsara brashears search results", "aaaa", "false files", "cyber defense attack", "contacted", "contact", "brian sabey topics", "adversary tags", "all scoreblue beazzers brian sabey search result", "tulach topics", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "search", "medium", "trojan", "copy", "write", "win32", "malware", "levelblue", "open threat", "crouching yeti", "trojanspy", "trojandropper", "denver police x.com 'template'", "remote job" ], "references": [ "Source: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_", "Issue pulsing MITRE ATT&CK's", "MITRE ATT&CK: T1003.008 - /etc/passwd and /etc/shadow", "MITRE ATT&CK: T1021 - Remote Services", "MITRE ATT&CK: T1010 - Application Window Discovery", "MITRE ATT&CK: T1027 - Obfuscated Files or Information", "MITRE ATT&CK: T1031 - Modify Existing Service", "MITRE ATT&CK: T1036.004 - Masquerade Task or Service", "MITRE ATT&CK: T1045 - Software Packing", "MITRE ATT&CK: T1051 - Shared Webroot", "MITRE ATT&CK: T1055 - Process Injection", "MITRE ATT&CK: T1056.001 - Keylogging", "MITRE ATT&CK: T1056 - Input Capture", "MITRE ATT&CK: T1057 - Process Discovery", "MITRE ATT&CK: T1059 - Command and Scripting Interpreter", "MITRE ATT&CK: T1063 - Security Software Discovery", "MITRE ATT&CK: T1068 - Exploitation for Privilege Escalation", "MITRE ATT&CK: T1070 - Indicator Removal", "MITRE ATT&CK: T1070.005 - Network Share Connection Removal", "MITRE ATT&CK: T1071 - Application Layer Protocol", "MITRE ATT&CK: T1080 - Taint Shared Content", "MITRE ATT&CK: T1082 - System Information Discovery", "MITRE ATT&CK: T1083 - File and Directory Discovery", "MITRE ATT&CK: T1090 - Proxy", "MITRE ATT&CK: T1622 - Debugger Evasion", "MITRE ATT&CK: T1105 - Ingress Tool Transfer", "MITRE ATT&CK: T1106 - Native API", "MITRE ATT&CK: T1119 - Automated Collection", "MITRE ATT&CK: T1120 - Peripheral Device Discovery", "MITRE ATT&CK: T1129 - Shared Modules", "MITRE ATT&CK: T1140 - Deobfuscate/Decode Files or Information", "MITRE ATT&CK: T1210 - Exploitation of Remote Services", "MITRE ATT&CK: T1472 - Generate Fraudulent Advertising Revenue", "MITRE ATT&CK: T1547 - Boot or Logon Autostart Execution", "MITRE ATT&CK: T1553 - Subvert Trust Controls", "MITRE ATT&CK: T1573 - Encrypted Channel", "MITRE ATT&CK: T1574 - Hijack Execution Flow", "MITRE ATT&CK: T1614 - System Location Discovery", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.B", "display_name": "Trojan:Win32/Vflooder.B", "target": "/malware/Trojan:Win32/Vflooder.B" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 104, "FileHash-SHA1": 102, "FileHash-SHA256": 232, "URL": 298, "domain": 38, "hostname": 158 }, "indicator_count": 932, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b75a315eac0ff46fa4510d", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:16:49.869000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1030, "domain": 646, "hostname": 1473, "email": 7, "CVE": 2 }, "indicator_count": 10059, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "MITRE ATT&CK: T1071 - Application Layer Protocol", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://applepaydayloans.com/", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "www.jamesbgriffinlaw.com (malicious host)", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "X Vercel Servers", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "Data Analytics", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "MITRE ATT&CK: T1003.008 - /etc/passwd and /etc/shadow", "MITRE ATT&CK: T1119 - Automated Collection", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "45.159.189.105 (Command and Control)", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Roksit.net", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "MITRE ATT&CK: T1120 - Peripheral Device Discovery", "MITRE ATT&CK: T1574 - Hijack Execution Flow", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "MITRE ATT&CK: T1059 - Command and Scripting Interpreter", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "https://support.Apple.com/de", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "MITRE ATT&CK: T1472 - Generate Fraudulent Advertising Revenue", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "remote.haverhillcc.com (remote hacking)", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "http://borpatoken.com/ borpatoken.com", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org", "record-viewer-application.hcahealthcare.cloud", "MITRE ATT&CK: T1070 - Indicator Removal", "Cloudflare | 1.1.1.1 -WarpPlus/****", "MITRE ATT&CK: T1140 - Deobfuscate/Decode Files or Information", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "https://sinister.ly/Thread-Apple-empty-box?page=13", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Behavior Pattern Match Analysis", "Vtapi: scanter.comwww.twitter.comx.com", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "MITRE ATT&CK: T1056 - Input Capture", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "MITRE ATT&CK: T1553 - Subvert Trust Controls", "http://init-p01st.push.apple.com/bag (remote hacking)", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "MITRE ATT&CK: T1036.004 - Masquerade Task or Service", "MITRE ATT&CK: T1547 - Boot or Logon Autostart Execution", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "MITRE ATT&CK: T1106 - Native API", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "MITRE ATT&CK: T1210 - Exploitation of Remote Services", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "MITRE ATT&CK: T1055 - Process Injection", "applepaydayloans.com", "MITRE ATT&CK: T1051 - Shared Webroot", "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "apple.com. (malicious version/header)", "MITRE ATT&CK: T1129 - Shared Modules", "a-fondness-for-beauty.com", "smlpp.monster", "MITRE ATT&CK: T1573 - Encrypted Channel", "MITRE ATT&CK: T1021 - Remote Services", "MITRE ATT&CK: T1063 - Security Software Discovery", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "init.ess.apple.com (remote hacking)", "MITRE ATT&CK: T1010 - Application Window Discovery", "MITRE ATT&CK: T1031 - Modify Existing Service", "MITRE ATT&CK: T1057 - Process Discovery", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "MITRE ATT&CK: T1090 - Proxy", "Source: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_", "stagelight.pl (malicious/ pattern match)", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "MITRE ATT&CK: T1614 - System Location Discovery", "114.114.114.114", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "Tulach- 114.114.114.114", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "firebaseremoteconfig.googleapis.com (remote hacking)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.apple.com/sitemap/", "http://www.Apple.com/quicktime/download", "MITRE ATT&CK: T1083 - File and Directory Discovery", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "RASMONTR.DLL 192.168.56.101", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Yara Detections is__elf , LZMA", "https://www.roseoubleu.fr/panier (phishing)", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "MITRE ATT&CK: T1056.001 - Keylogging", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "MITRE ATT&CK: T1105 - Ingress Tool Transfer", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Issue pulsing MITRE ATT&CK's", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "MITRE ATT&CK: T1070.005 - Network Share Connection Removal", "nr-data.net [Apple Private Data Collection]", "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "MITRE ATT&CK: T1080 - Taint Shared Content", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "Tulach IP: 114.114.114.114", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "MITRE ATT&CK: T1068 - Exploitation for Privilege Escalation", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "MITRE ATT&CK: T1045 - Software Packing", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://45.159.189.105/bot/regex (Bot Command)", "MITRE ATT&CK: T1027 - Obfuscated Files or Information", "http://ww1.tsx.org/_fd", "http://www.Apple.com/quicktime/download/standalone.html", "MITRE ATT&CK: T1622 - Debugger Evasion", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "MITRE ATT&CK: T1082 - System Information Discovery" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/glupteba", "Ramnit", "Gen:variant.zusy", "Rasmontr.dll", "Win32/trojandropper", "Trojan:win32/cryptinject", "Trojan.ole2.vbs", "Ransom:win32/wannaren.a", "Malware", "#virtool:win32/obfuscator", "Worm:win32/netsky", "Trojan:win32/fakefolder", "Pws:msil/steam", "Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat", "W32.aidetectmalware", "Worm:win32/mofksys", "Trojan.html.agent", "Keyloggers", "Sodin ransomware", "Generic.31fcc75f", "Ransom:win32/stopcrypt.ak!mtb", "Tulach malware", "Win.trojan.occamy", "Artemis", "Trojan:win32/trickler", "Backdoor:win32/tofsee", "Trojanspy", "Trojan:win32/muldrop", "Pws:win32/vb", "Maltiverse", "W32.hack.generic", "Trojan:win32/comame", "Proxy", "Gen:variant.bulz", "#lowficreateremotethread", "Relic", "Trojan:win32/emotet.pc!mtb", "Trojan:win32/danabot", "Elf:mirai-gh\\ [trj]", "Gamehack.dr", "Gen:variant.razy", "Tel:trojan:win32/trojandownloader", "Laplasclipper", "Qvm20.1.8d80.malware", "#hstr:hacktool:win32/mimikatz", "Worm:win32/fasong", "Searchmeup", "#virtool:win32/obfuscator.adb", "#lowfi:siga:trojanspy:msil/keylogger", "Trojan:win32/pariham", "Trojan:win32/salgorea", "Phish.ab", "Trojan:win32/vflooder.b", "Backdoor.mokes", "Backdoor:win32/botgor", "Trojan.generic", "Tel:trojan:win32/emotet", "Redline stealer", "Tel:delphi/obfuscator", "Malware.generic", "Trojan:win32/vflooder.a", "Ml.generic", "Malicious.22a4c0", "Trojan:win32/blihan", "Nids", "Trojan:win32/qqpass", "Elf:hajime-q\\ [trj]", "Slfper:installcore", "Alf:heraklezeval:ransom:win32/cve", "Xpire.info", "Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar", "Cobalt strike - s0154", "Win32/tasekjom.a", "Sdbot.caoc", "Dropper.binder", "Adware.dropware", "Skynet", "Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea", "Win32:crypterx-gen\\ [trj]", "Anonymizer", "Alf:program:opencandy:remnant", "Adwaresig [adw] ml.generic", "Trojan:win32/zbot.sibb3!mtb", "Alf:trojan:win32/cassini_f28c33a2", "Trojan.ransom.generickd", "Trojanspy:win32/nivdort.di", "Generic.malware", "Mirai", "Trojan:win32/blackmon", "Trojan.vtflooder/vflooder" ], "industries": [ "Technology", "Civilian society", "Civilian devices", "Healthcare", "Telecommunications", "Networking" ], "unique_indicators": 64482 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/weixiao.video", "whois": "http://whois.domaintools.com/weixiao.video", "domain": "weixiao.video", "hostname": "ros.weixiao.video" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "6a0a0e71af8047801da346a8", "name": "Credit: Skocherhan \"gh0st shadows\" clone [ty sk]", "description": "", "modified": "2026-05-20T08:57:02.834000", "created": "2026-05-17T18:52:33.147000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6a09f8a35ce1c4ed81629523", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 520, "hostname": 534, "URL": 487, "IPv4": 17, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "CIDR": 2, "email": 2 }, "indicator_count": 1586, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a09f8a35ce1c4ed81629523", "name": "gh0st shadows", "description": "msudosos, have a look", "modified": "2026-05-17T17:19:31.602000", "created": "2026-05-17T17:19:31.602000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 342, "hostname": 405, "URL": 437 }, "indicator_count": 1184, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d68458f57b670809385981", "name": "x.com | Hijacking | Tulach | State of Colorado | [scoreblue]", "description": "", "modified": "2026-04-08T16:37:44.951000", "created": "2026-04-08T16:37:44.951000", "tags": [ "x.com", "x vercel", "x template", "verizon block", "show", "registrar abuse", "pulse provide", "pornhub", "namecheap", "mitre att", "get tsara brashears search results", "aaaa", "false files", "cyber defense attack", "contacted", "contact", "brian sabey topics", "adversary tags", "all scoreblue beazzers brian sabey search result", "tulach topics", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "search", "medium", "trojan", "copy", "write", "win32", "malware", "levelblue", "open threat", "crouching yeti", "trojanspy", "trojandropper", "denver police x.com 'template'", "remote job" ], "references": [ "Source: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_", "Issue pulsing MITRE ATT&CK's", "MITRE ATT&CK: T1003.008 - /etc/passwd and /etc/shadow", "MITRE ATT&CK: T1021 - Remote Services", "MITRE ATT&CK: T1010 - Application Window Discovery", "MITRE ATT&CK: T1027 - Obfuscated Files or Information", "MITRE ATT&CK: T1031 - Modify Existing Service", "MITRE ATT&CK: T1036.004 - Masquerade Task or Service", "MITRE ATT&CK: T1045 - Software Packing", "MITRE ATT&CK: T1051 - Shared Webroot", "MITRE ATT&CK: T1055 - Process Injection", "MITRE ATT&CK: T1056.001 - Keylogging", "MITRE ATT&CK: T1056 - Input Capture", "MITRE ATT&CK: T1057 - Process Discovery", "MITRE ATT&CK: T1059 - Command and Scripting Interpreter", "MITRE ATT&CK: T1063 - Security Software Discovery", "MITRE ATT&CK: T1068 - Exploitation for Privilege Escalation", "MITRE ATT&CK: T1070 - Indicator Removal", "MITRE ATT&CK: T1070.005 - Network Share Connection Removal", "MITRE ATT&CK: T1071 - Application Layer Protocol", "MITRE ATT&CK: T1080 - Taint Shared Content", "MITRE ATT&CK: T1082 - System Information Discovery", "MITRE ATT&CK: T1083 - File and Directory Discovery", "MITRE ATT&CK: T1090 - Proxy", "MITRE ATT&CK: T1622 - Debugger Evasion", "MITRE ATT&CK: T1105 - Ingress Tool Transfer", "MITRE ATT&CK: T1106 - Native API", "MITRE ATT&CK: T1119 - Automated Collection", "MITRE ATT&CK: T1120 - Peripheral Device Discovery", "MITRE ATT&CK: T1129 - Shared Modules", "MITRE ATT&CK: T1140 - Deobfuscate/Decode Files or Information", "MITRE ATT&CK: T1210 - Exploitation of Remote Services", "MITRE ATT&CK: T1472 - Generate Fraudulent Advertising Revenue", "MITRE ATT&CK: T1547 - Boot or Logon Autostart Execution", "MITRE ATT&CK: T1553 - Subvert Trust Controls", "MITRE ATT&CK: T1573 - Encrypted Channel", "MITRE ATT&CK: T1574 - Hijack Execution Flow", "MITRE ATT&CK: T1614 - System Location Discovery", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.B", "display_name": "Trojan:Win32/Vflooder.B", "target": "/malware/Trojan:Win32/Vflooder.B" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "66b4cb43e069e1aee086c0fd", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 104, "FileHash-SHA1": 102, "FileHash-SHA256": 232, "URL": 298, "domain": 38, "hostname": 158 }, "indicator_count": 932, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "53 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c08b488620dac7697026c7", "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud", "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc. Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware", "modified": "2024-10-15T14:02:54.772000", "created": "2024-08-17T11:36:40.810000", "tags": [ "microsoft edge", "iocs", "alberta ndp", "security", "vc rescue", "disk", "apple", "google", "windows", "powershell", "security https", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "site", "cisco umbrella", "alexa top", "blacklist", "million", "mail spammer", "firehol", "ip address", "noname057", "anonymizer", "firehol proxy", "proxy", "india mail", "malware", "full name", "first", "v3 serial", "number", "cus odigicert", "global tls", "rsa4096 sha256", "ca1 validity", "subject public", "key info", "dns replication", "date", "script script", "as12912", "a domains", "a li", "poland unknown", "t mobile", "domains", "przejd", "passive dns", "authority", "meta", "accept", "cname", "record type", "ttl value", "aaaa", "poland", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "location poland", "asnone united", "moved", "location", "vary", "accept encoding", "content type", "virtool", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "as39198", "body", "window", "certificate", "hostname", "unknown", "red bull", "script urls", "as2828 verizon", "ireland unknown", "gmt content", "as8068", "as8075", "servers", "creation date", "united", "trojan", "trojan features", "win32", "msr aug", "urls", "reverse dns", "trojandropper", "historical ssl", "referrer", "infiltrate", "threat network", "malicious", "snapchat", "eternal blue", "sneaky simay", "groups", "covert", "probe", "whois lookup", "domain name", "united", "as15169 google", "a nxdomain", "germany", "dynamicloader", "yara rule", "high", "medium", "port", "dynamic", "domain", "file name", "pcap", "copy", "url host", "port method", "user agent", "okrnserver", "002000", "hit tcpmemhit", "algorithm", "data", "cus oentrust", "entrust", "l1k validity", "cpl lwarszawa", "ot mobile", "status", "name servers", "as6354", "mtb aug", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "location united", "win32 exe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "vs2010", "info compiler", "products", "vs2008", "header intel", "name md5", "type", "language", "ascii text", "cyrillic", "registrar of", "domain names", "ii llc", "contacted", "file type", "mb file", "graph", "ip detections", "country", "type name", "network", "tsara brashears", "december", "typhon reborn", "speakez securus", "hacktool", "emotet", "formbook", "critical", "installer", "tofsee", "hiddentear", "cnc", "email collection", "apple data", "data collection", "tsara brashears", "for privacy", "record value", "emails", "expiration date", "swipper", "tulach", "aitm", "query", "observed dns", "activity dns", "total", "google llc", "pe32", "write", "april", "defender", "otx telemetry", "win32cve aug", "polska s", "copyright", "levelblue", "dashboard", "pulse submit", "url analysis", "as20940", "as16625 akamai", "entrustdns", "france", "entries", "refresh", "443 ma2592000", "net174", "net1740000", "mcics", "read c", "write c", "tlsv1", "default", "module load", "execution", "dock", "persistence", "xport", "redacted for", "privacy tech", "privacy admin", "organization", "postal code", "stateprovince", "server", "registrar abuse", "code", "high priority", "critical", "CVE-2023-29059" ], "references": [ "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "record-viewer-application.hcahealthcare.cloud", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Tulach IP: 114.114.114.114", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/BlackMon", "display_name": "Trojan:Win32/BlackMon", "target": "/malware/Trojan:Win32/BlackMon" }, { "id": "Trojan:Win32/Fakefolder", "display_name": "Trojan:Win32/Fakefolder", "target": "/malware/Trojan:Win32/Fakefolder" }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Healthcare", "Technology", "Civilian Society", "Telecommunications", "Networking" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1975, "FileHash-SHA1": 1731, "FileHash-SHA256": 4646, "URL": 636, "domain": 283, "hostname": 798, "email": 12, "CVE": 3, "SSLCertFingerprint": 2 }, "indicator_count": 10086, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "594 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccbb1146fb07a45b6b97fe", "name": "Android Remotely Cracked: Swipper? | Being Sabey links found. Framing?", "description": "Targets phone and other devices cracked remotely. Phone calls made to a family member by phone. Some clues left behind.\n1 clue:mike@softwarezpro1.txt\nLong Link:http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States\u00aeion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Stop! Swipper, Brian Sabey, Tulach, whoever you are. Arrest Jeffrey Reimer Scott DPT for groping breasts, V, assaulting so hard it separated victims hips and SI joint, Spinal Cord Injury length of spine. He literally assaulted her brain out. TBI with Arnold's Chiari. Demyelination from brain to toes. He never denied this to Employers. Hi, DPD Major crimes God Bless you...about the report?", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-26T17:27:45.763000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1629, "FileHash-MD5": 4822, "URL": 2002, "email": 18, "hostname": 1725, "FileHash-SHA1": 3921, "FileHash-SHA256": 9019, "URI": 1 }, "indicator_count": 23137, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "594 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "596 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e01dc0fd31b731b2d5dac7", "name": "Cloudflade Botnet \u00bb | 1.1.1.1 | Warp.Plus? | smlpp.monster | Mirai", "description": "This issue may only affect those already in Botnet/s. DoS.Bad login requests .dead host, CnC,\nELF:Mirai-GH\\ [Trj] ,\nMirai ,\nNIDS m\nTrojan:Win32/Danabot", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:21:52.428000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e01e7b6a0bc2abe0d6c0d1", "name": "Cloudflare Botnet- https://otx.alienvault.com/pulse/66e01dc0fd31b731b2d5dac7", "description": "", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:24:59.035000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66e01dc0fd31b731b2d5dac7", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b4cb43e069e1aee086c0fd", "name": "x.com | Hijacking - Mitre ATT&CK", "description": "Topic: 'Samuel Tulach' @X.Com Discussion: \" \"Surprised\" to find name associated with;Exodus/ Cellebrite/Pegasus/NSO Brian Sabey\n\nREFERENCE:\nhttps://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-08T13:42:27.134000", "tags": [ "x.com", "x vercel", "x template", "verizon block", "show", "registrar abuse", "pulse provide", "pornhub", "namecheap", "mitre att", "get tsara brashears search results", "aaaa", "false files", "cyber defense attack", "contacted", "contact", "brian sabey topics", "adversary tags", "all scoreblue beazzers brian sabey search result", "tulach topics", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "search", "medium", "trojan", "copy", "write", "win32", "malware", "levelblue", "open threat", "crouching yeti", "trojanspy", "trojandropper", "denver police x.com 'template'", "remote job" ], "references": [ "Source: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_", "Issue pulsing MITRE ATT&CK's", "MITRE ATT&CK: T1003.008 - /etc/passwd and /etc/shadow", "MITRE ATT&CK: T1021 - Remote Services", "MITRE ATT&CK: T1010 - Application Window Discovery", "MITRE ATT&CK: T1027 - Obfuscated Files or Information", "MITRE ATT&CK: T1031 - Modify Existing Service", "MITRE ATT&CK: T1036.004 - Masquerade Task or Service", "MITRE ATT&CK: T1045 - Software Packing", "MITRE ATT&CK: T1051 - Shared Webroot", "MITRE ATT&CK: T1055 - Process Injection", "MITRE ATT&CK: T1056.001 - Keylogging", "MITRE ATT&CK: T1056 - Input Capture", "MITRE ATT&CK: T1057 - Process Discovery", "MITRE ATT&CK: T1059 - Command and Scripting Interpreter", "MITRE ATT&CK: T1063 - Security Software Discovery", "MITRE ATT&CK: T1068 - Exploitation for Privilege Escalation", "MITRE ATT&CK: T1070 - Indicator Removal", "MITRE ATT&CK: T1070.005 - Network Share Connection Removal", "MITRE ATT&CK: T1071 - Application Layer Protocol", "MITRE ATT&CK: T1080 - Taint Shared Content", "MITRE ATT&CK: T1082 - System Information Discovery", "MITRE ATT&CK: T1083 - File and Directory Discovery", "MITRE ATT&CK: T1090 - Proxy", "MITRE ATT&CK: T1622 - Debugger Evasion", "MITRE ATT&CK: T1105 - Ingress Tool Transfer", "MITRE ATT&CK: T1106 - Native API", "MITRE ATT&CK: T1119 - Automated Collection", "MITRE ATT&CK: T1120 - Peripheral Device Discovery", "MITRE ATT&CK: T1129 - Shared Modules", "MITRE ATT&CK: T1140 - Deobfuscate/Decode Files or Information", "MITRE ATT&CK: T1210 - Exploitation of Remote Services", "MITRE ATT&CK: T1472 - Generate Fraudulent Advertising Revenue", "MITRE ATT&CK: T1547 - Boot or Logon Autostart Execution", "MITRE ATT&CK: T1553 - Subvert Trust Controls", "MITRE ATT&CK: T1573 - Encrypted Channel", "MITRE ATT&CK: T1574 - Hijack Execution Flow", "MITRE ATT&CK: T1614 - System Location Discovery", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm_" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.B", "display_name": "Trojan:Win32/Vflooder.B", "target": "/malware/Trojan:Win32/Vflooder.B" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 104, "FileHash-SHA1": 102, "FileHash-SHA256": 232, "URL": 298, "domain": 38, "hostname": 158 }, "indicator_count": 932, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b759cf57d491a9dcca8c17", "name": "Yoda Crypter | Vtapi Virustotal Ransomware | X.Com | Twitter | Remote Job", "description": "Miscellaneous Virustotal attack found. A malicious hash found while researching a malicious Twitter template regarding post found re: otx.alienvault.com pulse.\nFound BorpaToken [moved] attacking X Vercel servers, impacting Azure, impacts X.com, Google.com, YouTube, androids, apple id, (otx seems impacted) with and /w/o header and every versions of related links, Malicious x.com 'REMOTELY' redirects to malicious Twitter templates with recognized names.", "modified": "2024-10-08T11:00:59.828000", "created": "2024-08-10T12:15:11.526000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "yoda", "crypter", "win16 ne", "os2 executable", "sections", "md5 upx0", "upx1", "upx2", "downloads", "http posts", "mitre att", "evasion ta0005", "ta0006 input", "capture t1056", "remote system", "discovery t1018", "reads", "discovery t1082", "windows nt", "get http", "request", "pragma", "response", "memory pattern", "g2 tls", "rsa sha256", "ca1 odigicert", "inc cus", "hashes", "peexe", "deleted c", "files dropped", "json", "registry keys", "ssl protocol", "de ff", "c4 a6", "fe b9", "d7 e8", "ed f6", "c5 c1", "dd f1", "e0 ee", "dword", "samplepath", "process", "created", "shell commands", "windir", "runtime modules", "urls", "ip detections", "country", "us a83f81100", "microsoft stuff", "malicious proxy", "june", "referrer", "historical ssl", "threat roundup", "domains", "threat network", "tracker radar", "hunting service", "vt ransomware", "malicious", "ermac", "probe", "vhash", "authentihash", "rich pe", "ssdeep", "magic pe32", "trid upx", "portable", "info compiler", "products", "vs2008", "vs2010 sp1", "vs2010", "header target", "machine intel", "utc entry", "point", "registrar", "csc corporate", "markmonitor inc", "ta0009 command", "control ta0011", "catalog tree", "analysis ob0001", "analysis ob0002", "command", "control ob0004", "defense evasion", "sample", "upx software", "upx packed", "evasion t1497", "may sleep", "packing f0001", "evasion b0003", "f0001 upx", "ob0006 software", "file", "post http", "hashes c2ae", "capa", "cape sandbox", "zenbox", "user", "files deleted", "files", "calls", "as15169 google", "united", "status", "date", "name servers", "cname", "passive dns", "search", "record value", "next", "error", "code", "unknown", "trojan", "found", "gmt contenttype", "sameorigin", "all scoreblue", "trojandropper", "matches rule", "et info", "generic http", "exe upload", "vtapi", "emails", "servers", "aaaa", "domain", "as13414 twitter", "backdoor", "ipv4", "pulse pulses", "virtool", "mirai", "analyzer paste", "iocs", "hostnames", "urls https", "borpa loading", "expiration", "url https", "akamai rank", "hostname", "twitter", "tsara brashears", "ip address", "pe resource", "apple ios", "threats", "malware", "scripts", "norton", "excel", "hacktool", "problem", "njrat", "ransomware", "open", "samples", "url http", "vercel", "server attack", "yara detections", "push", "scan endpoints", "filehash", "av detections", "ids detections", "alerts", "analysis date", "code overlap", "related pulses", "top source", "top destination", "source source", "copy", "host", "contentlength", "malware beacon", "show", "entries", "cape", "write", "expiration date", "tulach topic", "brian sabey", "hallrender", "apple id", "malicious url", "tag count", "tld count", "detection list", "blacklist https", "count blacklist", "tag tag", "no data", "tld aggregation", "combined", "contact", "as206834 team", "canada unknown", "div div", "redacted for", "unknown xn", "script script", "msie", "chrome", "precondition", "mtb oct", "body", "worm", "trojanspy", "xpire.info", "searchmeup", "as61969 team", "creation date", "domain robot", "win32", "et smtp", "message", "high", "mailrubar", "trojanclicker", "parking crew", "parking logic", "category", "trojan features", "file samples", "files matching", "date hash", "showing", "creates largekey", "threat sniper", "crouching yeti", "kitten", "camaro dragon", "google phish", "macros", "hiddentear", "plugins", "removes headers", "hitmen" ], "references": [ "trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4", "Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection", "Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound", "Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://fixupx.com/Yoda4ever/status/1819058165264404527", "Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks.", "http://borpatoken.com/ borpatoken.com", "Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter", "For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter.", "analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443", "X Vercel Servers", "FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db", "FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c", "FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae", "Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick", "apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com", "Vtapi: scanter.comwww.twitter.comx.com", "IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message", "IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain", "Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249", "Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c", "Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Win.Trojan.Occamy", "display_name": "Win.Trojan.Occamy", "target": null }, { "id": "W32.AIDetectMalware", "display_name": "W32.AIDetectMalware", "target": null }, { "id": "Trojan.Vtflooder/Vflooder", "display_name": "Trojan.Vtflooder/Vflooder", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Trojan:Win32/Comame", "display_name": "Trojan:Win32/Comame", "target": "/malware/Trojan:Win32/Comame" }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Pariham", "display_name": "Trojan:Win32/Pariham", "target": "/malware/Trojan:Win32/Pariham" } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1943, "FileHash-SHA1": 1637, "FileHash-SHA256": 3321, "URL": 1014, "domain": 645, "hostname": 1472, "email": 7, "CVE": 2 }, "indicator_count": 10041, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ros.weixiao.video", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ros.weixiao.video", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780330860.1869237 }