{ "type": "URL", "indicator": "https://rws.subalipack.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rws.subalipack.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3381966829, "indicator": "https://rws.subalipack.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6a141c15cfec672ba39e6a17", "name": "S0094 clone credit score blue ", "description": "", "modified": "2026-05-25T10:03:13.774000", "created": "2026-05-25T09:53:25.429000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": "6665d55d941729c5f283b3f7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2951, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17067, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69640c0afc9805a6fa2da07b", "name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]", "description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai", "modified": "2026-02-10T20:03:47.214000", "created": "2026-01-11T20:46:02.176000", "tags": [ "lark kdence", "zack dare", "zafira", "jon bonus", "andy flebbe", "div div", "present nov", "a domains", "united", "script urls", "div a", "script domains", "discover", "moved", "insert", "x0 tw", "urls", "cloudfront x", "title error", "url analysis", "reverse dns", "servers", "name servers", "united states", "all ipv4", "aaaa", "ip address", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ascii text", "mitre att", "pattern match", "null", "error", "click", "hybrid", "general", "local", "path", "starfield", "strings", "refresh", "tools", "meta", "onload", "span", "data upload", "extraction", "type", "extra", "referen https", "include review", "exclude sugges", "stop", "aivoes typ", "passive dns", "date", "united states", "status", "domain add", "files", "hostname", "read c", "medium", "search", "show", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "amazon02", "as autonomous", "system", "asn16509", "domain", "current dns", "a record", "as16509", "december", "ip information", "ipasns ip", "google", "fastly", "googlecl", "akamaias", "cloudflar", "domain tree", "links ip", "address as", "cisco", "umbrella rank", "general full", "url https", "software", "resource hash", "protocol h2", "security tls", "hostname add", "challengescript", "captchascript", "name", "value", "source level", "url text", "automatic", "webgl", "please", "extr data", "data", "size", "title", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "entries", "rgba", "unicode", "asnone", "malware", "port", "destination", "tlsv1", "tls handshake", "failure", "roboto", "msie", "windows nt", "wow64", "slcc2", "media center", "expiration", "url http", "no expiration", "present jan", "unknown ns", "certificate", "body", "present oct", "present may", "present dec", "present sep", "present feb", "showing", "next associated", "all se", "pulse pulses", "http", "files domain", "files related", "pulses none", "debiak", "tsara brashears", "ai", "palantir", "muso ai", "sort", "artists", "royalties", "music", "songwriter", "collect", "view", "malicious app", "false claims" ], "references": [ "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "22.hio52.r.cloudfront.net", "us-gov-west-1.gov.reveal-global.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "https://glare.pali om. \u2022 http://engage.palantirfou?", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "campdeadwood2026.com", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Pornhub to your phone. Dumping or by request?", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "www.killer333.club So I\u2019m right." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Incredimail-6804483-0", "display_name": "Win.Malware.Incredimail-6804483-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10686, "hostname": 2427, "domain": 1094, "FileHash-MD5": 175, "FileHash-SHA1": 65, "FileHash-SHA256": 1118, "email": 4, "SSLCertFingerprint": 14 }, "indicator_count": 15583, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ed1b2c24f71d408f58a", "name": "lvc.org", "description": "", "modified": "2023-12-06T14:01:52.611000", "created": "2023-12-06T14:01:52.611000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "hostname": 3051, "FileHash-SHA256": 524, "URL": 14286, "domain": 1501, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6213ffb8b8b4c14bf3c0420f", "name": "lvc.org", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T21:10:16.849000", "tags": [ "algorithm", "key identifier", "x509v3 subject", "solutions", "llc creation", "date", "categories", "ranks rank", "value ingestion", "time majestic", "umbrella", "masking enabled", "win32 exe", "server", "email", "registrar abuse", "practice", "gre premium", "code", "registrar url", "score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14286, "hostname": 3051, "domain": 1501, "FileHash-SHA256": 524, "CVE": 2, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Google_Chrome_64bit_v136.0.7103.49.exe", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://glare.pali om. \u2022 http://engage.palantirfou?", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "campdeadwood2026.com", "https://test2.ditproducts.com/dat/wannacry1.html", "Domains Contacted: simplesausages.cx.cc adobe.com", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "22.hio52.r.cloudfront.net", "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "us-gov-west-1.gov.reveal-global.com", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "tv.apple.com", "IDS: TLS Handshake Failure", "Assurance", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Pornhub to your phone. Dumping or by request?", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Yara Detections BackdoorWin32Simda", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "CVE-2023-22518 | CVE-2023-4966", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "www.killer333.club So I\u2019m right." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly," ], "malware_families": [ "Autorunit", "Win.malware.incredimail-6804483-0", "Mydoom", "Kanna", "Virus:win95/cerebrus", "Win.trojan.xtoober-650", "Trojan:win32/startpage.ss", "Win.packed.pincav-7537597-0", "Der zugriff", "Trojan:win32/pariham.a", "Trojan.karagany - s0094", "Sigur", "Alf:jasyp:trojandownloader:win32/karagany!atmn", "Win32:karagany-d\\ [trj]" ], "industries": [ "Legal", "Government", "Civil society", "Telecommunications", "Healthcare", "Financial", "Technology", "Finance - insurance sector" ], "unique_indicators": 62552 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/subalipack.com", "whois": "http://whois.domaintools.com/subalipack.com", "domain": "subalipack.com", "hostname": "rws.subalipack.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6a141c15cfec672ba39e6a17", "name": "S0094 clone credit score blue ", "description": "", "modified": "2026-05-25T10:03:13.774000", "created": "2026-05-25T09:53:25.429000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": "6665d55d941729c5f283b3f7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2951, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17067, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69640c0afc9805a6fa2da07b", "name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]", "description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai", "modified": "2026-02-10T20:03:47.214000", "created": "2026-01-11T20:46:02.176000", "tags": [ "lark kdence", "zack dare", "zafira", "jon bonus", "andy flebbe", "div div", "present nov", "a domains", "united", "script urls", "div a", "script domains", "discover", "moved", "insert", "x0 tw", "urls", "cloudfront x", "title error", "url analysis", "reverse dns", "servers", "name servers", "united states", "all ipv4", "aaaa", "ip address", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "evasion att", "t1480 execution", "ascii text", "mitre att", "pattern match", "null", "error", "click", "hybrid", "general", "local", "path", "starfield", "strings", "refresh", "tools", "meta", "onload", "span", "data upload", "extraction", "type", "extra", "referen https", "include review", "exclude sugges", "stop", "aivoes typ", "passive dns", "date", "united states", "status", "domain add", "files", "hostname", "read c", "medium", "search", "show", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "amazon02", "as autonomous", "system", "asn16509", "domain", "current dns", "a record", "as16509", "december", "ip information", "ipasns ip", "google", "fastly", "googlecl", "akamaias", "cloudflar", "domain tree", "links ip", "address as", "cisco", "umbrella rank", "general full", "url https", "software", "resource hash", "protocol h2", "security tls", "hostname add", "challengescript", "captchascript", "name", "value", "source level", "url text", "automatic", "webgl", "please", "extr data", "data", "size", "title", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "entries", "rgba", "unicode", "asnone", "malware", "port", "destination", "tlsv1", "tls handshake", "failure", "roboto", "msie", "windows nt", "wow64", "slcc2", "media center", "expiration", "url http", "no expiration", "present jan", "unknown ns", "certificate", "body", "present oct", "present may", "present dec", "present sep", "present feb", "showing", "next associated", "all se", "pulse pulses", "http", "files domain", "files related", "pulses none", "debiak", "tsara brashears", "ai", "palantir", "muso ai", "sort", "artists", "royalties", "music", "songwriter", "collect", "view", "malicious app", "false claims" ], "references": [ "https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a", "22.hio52.r.cloudfront.net", "us-gov-west-1.gov.reveal-global.com", "us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647", "MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page", "External Hosts Israel Unique Countries 2 Unique ASNs 2 IP", "ASN 82.80.204.63 www5.incredimail.com \u2022 Israel", "United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel", "AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel", "Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)", "IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5", "Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com", "medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com", "caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com", "upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com", "https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master", "https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master", "https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/", "http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com", "https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com", "engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com", "https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com", "http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/", "https://glare.pali om. \u2022 http://engage.palantirfou?", "What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co", "(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022", "www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!", "campdeadwood2026.com", "http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy", "Pornhub to your phone. Dumping or by request?", "https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/", "www.killer333.club So I\u2019m right." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Incredimail-6804483-0", "display_name": "Win.Malware.Incredimail-6804483-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10686, "hostname": 2427, "domain": 1094, "FileHash-MD5": 175, "FileHash-SHA1": 65, "FileHash-SHA256": 1118, "email": 4, "SSLCertFingerprint": 14 }, "indicator_count": 15583, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ed1b2c24f71d408f58a", "name": "lvc.org", "description": "", "modified": "2023-12-06T14:01:52.611000", "created": "2023-12-06T14:01:52.611000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "hostname": 3051, "FileHash-SHA256": 524, "URL": 14286, "domain": 1501, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6213ffb8b8b4c14bf3c0420f", "name": "lvc.org", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T21:10:16.849000", "tags": [ "algorithm", "key identifier", "x509v3 subject", "solutions", "llc creation", "date", "categories", "ranks rank", "value ingestion", "time majestic", "umbrella", "masking enabled", "win32 exe", "server", "email", "registrar abuse", "practice", "gre premium", "code", "registrar url", "score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14286, "hostname": 3051, "domain": 1501, "FileHash-SHA256": 524, "CVE": 2, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rws.subalipack.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rws.subalipack.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222418.9893425 }