{ "type": "URL", "indicator": "https://rslander.sweetheartvideo.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rslander.sweetheartvideo.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3777240250, "indicator": "https://rslander.sweetheartvideo.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 22, "pulses": [ { "id": "65b7119615db47ea27706a86", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-04-12T23:03:13.367000", "created": "2024-01-29T02:46:46.076000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9102, "CVE": 5, "FileHash-MD5": 68, "FileHash-SHA1": 67, "FileHash-SHA256": 2209, "domain": 1427, "hostname": 4334 }, "indicator_count": 17212, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d302007152543202bac", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:20.375000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d2518a7ef9bb17df1b9", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:09.832000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cfda433eb05bde3827b", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:29.606000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cf9b0dac1aa7f9046cf", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:25.092000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656e19dfeee6ead11dc6354e", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "", "modified": "2023-12-24T22:02:36.942000", "created": "2023-12-04T18:26:39.448000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65612df2a7b287c614a94f94", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df2a7b287c614a94f94", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:50.158000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df1531ea0c35d79b1f4", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:49.909000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654d29a8dbbe8d0bcc16ed1a", "name": "iOS Tracking \u2192 imitation imap: imap.kehlenbach.net | C2 | Cybercrime", "description": "", "modified": "2023-12-09T08:01:01.882000", "created": "2023-11-09T18:49:12.887000", "tags": [ "ssl certificate", "tsara brashears", "apple ios", "whois record", "virus network", "critical risk", "tracker", "cyberstalking", "drive", "apple phone", "hacktool", "installer", "brashears", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "654cabd6bb3319558bf2cd38", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 97, "FileHash-SHA256": 1170, "domain": 593, "hostname": 1179, "URL": 3246 }, "indicator_count": 6384, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654cabd6bb3319558bf2cd38", "name": "iOS Tracking \u2192 imitation imap: imap.kehlenbach.net | C2 | Cybercrime", "description": "BotNet campaign, malvertizing, radar tracking, iOS, OS, IP, dns, location tracking, password cracker, faux Pinterest, phishing, malicious domain.\nTargets:\nhttps://pin.it/ (Dangerous IP)\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing)\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\n(password cracker)\t\nhttps://www.pornhub.com/video/search?search=tsara+brashears ( Buff Achievement Tracker)\nhttps://www.sweetheartvideo.com/tsara-brashears/ (botnetwork, tracking):\npin.it (TB IP)\nww.google.com.uy. (Brashears IP addresses) \notc.greatcall.com (Botnetwork, tracking call)\n0-129-103-71imap-intranet-pv-175-166.matomo.cloud (location collection, call, message, email)\nhttps://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= (Transactional email collection)\n\napple iOS, imap", "modified": "2023-12-09T08:01:01.882000", "created": "2023-11-09T09:52:22.834000", "tags": [ "ssl certificate", "tsara brashears", "apple ios", "whois record", "virus network", "critical risk", "tracker", "cyberstalking", "drive", "apple phone", "hacktool", "installer", "brashears", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 97, "FileHash-SHA256": 1170, "domain": 593, "hostname": 1179, "URL": 3246 }, "indicator_count": 6384, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6544cbbca7610e92e4262c47", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-11-03T10:30:20.965000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "654140bae73f795aa914e8de", "export_count": 108, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d5ee5a7359a5e815a6a", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:18.712000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654140bae73f795aa914e8de", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-31T18:00:26.439000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "65401d73e96dd70037ed22a7", "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65403022038832e42175601f", "name": "CRITICAL!!! | Health Insurance Cyber threat Matrix - Darkside 2020 Ecosystem .BEware ", "description": "", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T22:37:22.425000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": "65402a8dec948bec8b0a0372", "export_count": 95, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 8601, "URL": 7499, "domain": 4604, "hostname": 4187, "CIDR": 2, "CVE": 23, "URI": 1 }, "indicator_count": 25942, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65402a8dec948bec8b0a0372", "name": "24 CVE's | Health Liability bDarkside 2020 Ecosystem .BEware", "description": "Matrix of cyber crime attacks appears to involved legal entities and a division of Workers Compensation Colorado, possibly used nationally. Targeting, monitoring, tracking, malvertizing, cyber attacks, CNC. Critical.\nCould probably be disputed $$$$ though undisputable. \nEd Said. \nhttp://1.116.132.182/weblogic_CVE_2020_2551.jar\t\t\t\nCVE-2020-0601\t\t\t\t\t\nCVE-2018-8174\t\t\t\nCVE-2018-4893\t\t\t\nCVE-2018-0802\t\t\t\nCVE-2017-8759\t\t\t\t\t\t\nCVE-2017-8464\t\t\t\nCVE-2017-1188\t\t\t\t\nCVE-2017-0143\t\t\t\nCVE-2016-7262\t\t\t\nCVE-2014-6352\t\t\t\nCVE-2013-2465\t\t\t\nCVE-2011-2110\t\t\t\nCVE-2011-0609\t\t\t\nCVE-2010-2568\t\t\t\nCVE-2018-8453\t\t\t\nCVE-2013-1331\nCVE-2012-1856\t\t\t\t\nCVE-2012-0158\t\t\t\t\t\t\nCVE-2017-8570\t\t\t\nCVE-2017-11882\t\t\t\nCVE-2017-0199\t\t\t\t\t\t\nCVE-2017-0147\t\t\t\t\t\t\nCVE-2014-3153", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T22:13:33.427000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 8601, "URL": 7499, "domain": 4603, "hostname": 4187, "CIDR": 2, "CVE": 23 }, "indicator_count": 25940, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401fddb74fe1ea8506132d", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:27:57.026000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 8601, "URL": 7499, "domain": 4603, "hostname": 4187, "CIDR": 2, "CVE": 23 }, "indicator_count": 25940, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401fcb063a0a34fa323603", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:27:39.980000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 8601, "URL": 7499, "domain": 4603, "hostname": 4187, "CIDR": 2, "CVE": 23 }, "indicator_count": 25940, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401dbe47ce126e7468a2dc", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I'm actually uncomfortable finding this.", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:18:54.411000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 85, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 8601, "URL": 7499, "domain": 4603, "hostname": 4187, "CIDR": 2, "CVE": 23 }, "indicator_count": 25940, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401da888067e7f6379d23e", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I'm actually uncomfortable finding this.", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:18:32.141000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 8601, "URL": 7499, "domain": 4603, "hostname": 4187, "CIDR": 2, "CVE": 23 }, "indicator_count": 25940, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d8480e4a9ed725f6458", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:56.820000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d76b057b79aaf7ba4a7", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:40.239000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65401d73e96dd70037ed22a7", "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears", "description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]", "modified": "2023-11-29T14:03:31.663000", "created": "2023-10-30T21:17:39.802000", "tags": [ "ssl certificate", "whois record", "contacted", "referrer", "communicating", "resolutions", "historical ssl", "whois whois", "http", "critical risk", "dark power", "cobalt strike", "malware", "core", "critical", "copy", "formbook", "submission", "sophos sophos", "xcitium verdict", "cloud xcitium", "verdict cloud", "history first", "analysis", "utc http", "response final", "url https", "march", "execution", "falcon sandbox", "pattern match", "changelog", "header", "layer", "data", "ipv4", "function", "file", "et tor", "known tor", "meta", "monitoring", "date", "body", "form", "august", "june", "friendly", "main", "footer", "unknown", "hybrid", "general", "click", "strings", "class", "generator", "error", "pe resource", "redline stealer", "april", "lockbit", "emotet", "hacktool", "apple", "tsara brashears", "tmobile", "pyinstaller", "password", "dns poisoning", "domains", "abuse", "kiannas law", "cyber security", "cisco umbrella", "site", "malware site", "malicious site", "safe site", "alexa top", "million", "phishing site", "team phishing", "exploit", "download", "unruy", "alexa", "riskware", "back", "azorult", "phishing", "service", "runescape", "facebook", "bank", "team", "cutwail", "adload", "maltiverse", "kryptik", "united", "cyber threat", "engineering", "bambernek", "strike", "zbot", "suppobox", "malicious", "ransomware", "virut", "bandoo", "matsnu", "iframe", "zeus", "agent", "steam", "nymaim", "citadel", "heur", "covid19", "simda", "artemis", "bradesco", "pony", "pykspa", "sodinokibi", "betabot", "virustotal", "tinba", "domaiq", "ave maria", "revil", "downloader", "tofsee", "vawtrak", "hotmail", "dnspionage", "nexus", "generic", "andromeda", "dropper", "crypt", "outbreak", "wacatac", "mimikatz", "trojanx", "astaroth", "keybase", "stealer", "radamant", "kovter", "unsafe", "win64", "conduit", "presenoker", "opencandy", "remcos", "miner", "agenttesla", "trojan", "detplock", "networm", "fusioncore", "acint", "installpack", "xtrat", "nircmd", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "fakealert", "filetour", "installcore", "floxif", "cleaner", "patcher", "kgs0", "kls0", "threat report", "ip summary", "url summary", "summary", "urls", "detection list", "blacklist http", "samples", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Kryptik", "display_name": "Kryptik", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Health" ], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 518, "FileHash-SHA1": 507, "FileHash-SHA256": 10945, "URL": 19764, "domain": 5110, "hostname": 8668, "CIDR": 2, "CVE": 24 }, "indicator_count": 45538, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "872 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "angebot.staude.de", "CS IDS rule: (port_scan) TCP filtered portsweep", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/", "Trojan:Win32/WannaCry.350", "cellebrite.com | enterprise.cellebrite.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears/", "c1a99e3bde9bad27e463c32b96311312.virus", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.malwarebytes.com/emotet", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "https://www.esurance.com/", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group - Pegasus" ], "malware_families": [ "Lolkek", "Emotet", "Brashears", "Et", "Maltiverse", "Kryptik", "Trojan:win32/wannacry.350" ], "industries": [ "Civil society", "Telecom", "Health", "Insurance" ], "unique_indicators": 92318 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sweetheartvideo.com", "whois": "http://whois.domaintools.com/sweetheartvideo.com", "domain": "sweetheartvideo.com", "hostname": "rslander.sweetheartvideo.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 22, "pulses": [ { "id": "65b7119615db47ea27706a86", "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I", "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .", "modified": "2024-04-12T23:03:13.367000", "created": "2024-01-29T02:46:46.076000", "tags": [ "ssl certificate", "xamzexpires600", "whois record", "url collection", "collections", "historical ssl", "referrer", "contacted", "resolutions", "web gateway", "emotet", "urls http", "whois whois", "domains", "lolkek", "core", "caddywiper", "awful", "urls url", "cymulate", "malware", "com laude", "ltd dba", "first", "utc submissions", "submitters", "cloudflarenet", "internet domain", "service bs", "corp", "dynadot", "twitter", "optimizer", "amazonaes", "summary iocs", "graph community", "origin1", "ver33", "dtamlb", "smlb", "csc corporate", "gandi sas", "namecheap inc", "google", "amazon02", "apple", "remote attacks" ], "references": [ "https://www.esurance.com/", "https://www.malwarebytes.com/emotet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null } ], "attack_ids": [], "industries": [ "Telecom", "Civil Society", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9102, "CVE": 5, "FileHash-MD5": 68, "FileHash-SHA1": 67, "FileHash-SHA256": 2209, "domain": 1427, "hostname": 4334 }, "indicator_count": 17212, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d302007152543202bac", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:20.375000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d2518a7ef9bb17df1b9", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:09.832000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cfda433eb05bde3827b", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:29.606000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cf9b0dac1aa7f9046cf", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:25.092000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656e19dfeee6ead11dc6354e", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "", "modified": "2023-12-24T22:02:36.942000", "created": "2023-12-04T18:26:39.448000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65612df2a7b287c614a94f94", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df2a7b287c614a94f94", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:50.158000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df1531ea0c35d79b1f4", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:49.909000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654d29a8dbbe8d0bcc16ed1a", "name": "iOS Tracking \u2192 imitation imap: imap.kehlenbach.net | C2 | Cybercrime", "description": "", "modified": "2023-12-09T08:01:01.882000", "created": "2023-11-09T18:49:12.887000", "tags": [ "ssl certificate", "tsara brashears", "apple ios", "whois record", "virus network", "critical risk", "tracker", "cyberstalking", "drive", "apple phone", "hacktool", "installer", "brashears", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "654cabd6bb3319558bf2cd38", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 97, "FileHash-SHA256": 1170, "domain": 593, "hostname": 1179, "URL": 3246 }, "indicator_count": 6384, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654cabd6bb3319558bf2cd38", "name": "iOS Tracking \u2192 imitation imap: imap.kehlenbach.net | C2 | Cybercrime", "description": "BotNet campaign, malvertizing, radar tracking, iOS, OS, IP, dns, location tracking, password cracker, faux Pinterest, phishing, malicious domain.\nTargets:\nhttps://pin.it/ (Dangerous IP)\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ (phishing)\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\n(password cracker)\t\nhttps://www.pornhub.com/video/search?search=tsara+brashears ( Buff Achievement Tracker)\nhttps://www.sweetheartvideo.com/tsara-brashears/ (botnetwork, tracking):\npin.it (TB IP)\nww.google.com.uy. (Brashears IP addresses) \notc.greatcall.com (Botnetwork, tracking call)\n0-129-103-71imap-intranet-pv-175-166.matomo.cloud (location collection, call, message, email)\nhttps://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= (Transactional email collection)\n\napple iOS, imap", "modified": "2023-12-09T08:01:01.882000", "created": "2023-11-09T09:52:22.834000", "tags": [ "ssl certificate", "tsara brashears", "apple ios", "whois record", "virus network", "critical risk", "tracker", "cyberstalking", "drive", "apple phone", "hacktool", "installer", "brashears", "et" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 97, "FileHash-SHA256": 1170, "domain": 593, "hostname": 1179, "URL": 3246 }, "indicator_count": 6384, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rslander.sweetheartvideo.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rslander.sweetheartvideo.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776643512.6375258 }