{ "type": "URL", "indicator": "https://safe.imoneso.cn/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://safe.imoneso.cn/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3831495343, "indicator": "https://safe.imoneso.cn/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "66cd0d8da99ad679a1e5049b", "name": "VirusTotal Cl0p Ransomware Attack", "description": "Virustotal Ransomware attack when attempting to evaluate malicious link : http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States®ion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Residual Cl0p Ransomware attack seen. \n\nAll Tags , Malware Families and Mitre ATT&CK results: Auto-populated.", "modified": "2024-09-25T22:04:23.320000", "created": "2024-08-26T23:19:41.093000", "tags": [ "please", "javascript", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "suricata ipv4", "united", "date", "suricata udpv4", "meta", "general", "twitter", "click", "strings", "virustotal", "body", "contact", "heur", "cisco umbrella", "malware", "site", "safe site", "suspected", "malware site", "filerepmetagen", "malicious site", "alexa top", "iframe", "wacatac", "downldr", "crack", "filetour", "cleaner", "exploit", "presenoker", "agent", "conduit", "riskware", "acint", "behav", "genkryptik", "phishing", "azorult", "cobalt strike", "runescape", "facebook", "bank", "download", "xrat", "installcore", "patcher", "adload", "cl0p", "trojanspy", "webtoolbar", "detection list", "blacklist", "mail spammer", "phishing site", "ip address", "malicious url", "ascii text", "et tor", "known tor", "misc attack", "pattern match", "relayrouter", "exit", "node traffic", "local", "core", "no data", "analyzer threat", "ip summary", "summary", "spammer", "node tcp", "traffic", "tor known", "ssh attacker", "attacker", "hostile host", "threats et", "cl0p ransomware", "analyzer paste", "iocs", "entity" ], "references": [ "https://www.virustotal.com/graph/http%3A%2F%2Fbbd383ttka22.top%2Fprize%2Fluckyus-ad%2Fnigh.php%3Fc%3D69zejibbz5fz1%26k%3D987ad34e7843dd8f3a3cb6559f188769%26country_code%3DUS%26country_name%3DUnited%2520States%26region%3DNew%2520York%26city%3DPlainview%26isp%3DMCI%2520Communications%2520Services%2C%2520Inc.%2520d%2Fb%2Fa%2520Verizon%2520Business%26lang%3Dja%26ref_domain%3D%26os%3DiOS%26osv%3D16%26browser%3DChrome%26browserv%3D115%26brand%3DApple%26model%3DiPhone%26marketing_name%3DiPhone%26tablet%3D2%26rheig", "bundled.toolbar.google | http://bundled.toolbar.google/http:/toolbar.google.| toolbar.google | https://bundled.toolbar.google/", "https://bundled.toolbar.google | http://toolbar.google.| http://bundled.toolbar.google/ | http://bundled.toolbar.google", "cryptpad.effi.org | cryptpad-sandbox.effi.org | www2.effi.org | tor.effi.org | tor-ou.effi.org", "www2.effi.org\t | tor.effi.org | tor-ou.effi.org", "op.lunistra.com | api.demand-iq.com", "Ransomware Report: https://www.hybrid-analysis.com/sample/c58e07f62f576d36567d74ca25bdff8374231e7985ff05a10bffbc5cb4296904/66ccf708c605284e0a0aea74" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "hostname": 132, "FileHash-SHA256": 278, "FileHash-MD5": 138, "FileHash-SHA1": 65, "SSLCertFingerprint": 8, "URL": 269, "CVE": 8 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692cf0e2273bb06aa43e43c", "name": "Banker: Through The Nights - YouTube | Errors |", "description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.", "modified": "2024-08-12T18:02:56.458000", "created": "2024-07-13T19:01:34.484000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "low risk", "domain", "no malware", "found", "site", "ip address", "google network", "unknown", "low security", "risk", "hacked", "protect", "path", "secure", "httponly", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "samesitenone", "http response", "final url", "status code", "body length", "kb body", "pragma", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "jess", "tsara brashears", "zafira songs", "youtube og", "hope", "html info", "meta tags", "data", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "key algorithm", "name", "whois lookup", "create date", "expiry date", "query time", "update date", "update", "passive dns", "gmt content", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "urls", "files", "related pulses", "error", "code", "algorithm", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 343, "SSLCertFingerprint": 8, "URL": 333, "domain": 69, "hostname": 165 }, "indicator_count": 924, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603369ad0e38e313883c4fa", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:56:58.037000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 4468, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cdfd20f6237e3892c0", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:25.910000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 186986, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e3d1a94659d50264a78fd4", "name": "Phishing | TabExplorer attacks compromised networks and devices", "description": "", "modified": "2024-04-02T01:01:20.068000", "created": "2024-03-03T01:26:01.043000", "tags": [ "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "suricata udpv4", "date", "united", "windows nt", "win64", "hybrid", "general", "click", "strings", "contact", "url http", "url https", "scan endpoints", "all octoseek", "report spam", "hour ago", "whois record", "glasgow", "scan", "iocs", "next", "filehashsha256", "filehashmd5", "filehashsha1", "ipv4", "contacted", "execution", "pe resource", "communicating", "urls http", "referrer", "resolutions", "whois whois", "collections ip", "phishing", "attack", "loaded module", "remote procedure call", "search", "as15133 verizon", "passive dns", "urls", "creation date", "record value", "showing", "unknown", "as8075", "as15169 google", "as8068", "aaaa", "cname", "a domains", "meta", "entries", "gmt server", "ecacc saa83dd", "cobalt strike", "mozilla", "body", "brian sabey", "hallrender", "dynamicloader", "show", "alerts", "trojan", "copy", "dynamic", "medium", "reads", "write", "stealth network", "stealth_network", "script urls", "certificate", "rsa sha256", "exports data", "high", "yara rule", "yara detections", "njrat", "cape", "njrat malware", "sniffs", "guard", "write c", "delete c", "ms windows", "default", "intel", "openpgp public", "stream", "antivm_generic_disk", "antivm_generic_bios", "network_bind", "stealth_file spawns_dev_utility", "procmem_yara", "enumerates_physical_drives", "persistence_ads", "dynamic_function_loading", "reads_self", "suspicious_command_tools", "network", "rat" ], "references": [ "http://www.tabxexplorer.com [phishing]", "http://www.tabxexplorer.com/lenovo", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "identity_helper.exe", "cdn.easykeys.com", "hive21.ctcsoftware.com", "www.moxa.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Tulach Malware: 114.114.114.114", "ns3.hallgrandsale.ru", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Yara Detection: Nullsoft_NSIS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "HackTool:Win32/Atosev.A", "display_name": "HackTool:Win32/Atosev.A", "target": "/malware/HackTool:Win32/Atosev.A" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Win.Malware.Generickdz-9938530-0", "display_name": "Win.Malware.Generickdz-9938530-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5551, "hostname": 1690, "domain": 929, "FileHash-SHA256": 2696, "FileHash-MD5": 405, "FileHash-SHA1": 315, "email": 4, "SSLCertFingerprint": 1 }, "indicator_count": 11591, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d8c371cc0957afd9195ae0", "name": ":MalwareX-gen\\ [Trj]", "description": "", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T16:10:26", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "65d85bc3164cd519bc4a282d", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d85bc3164cd519bc4a282d", "name": "Win32:RansomX-gen\\ [Ransom] \u2022 Win32:MalwareX-gen\\ [Trj]", "description": "https://otx.alienvault.com/indicator/ doesn't finish loading. Unable to analyze detections.\nnetwork_icmp\nallocates_rwx\npacker_entropy\nhas_pdb\npe_unknown_resource_name\nsysinternals_tools_usage\nallocates_rwx\nsuspicious_process", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T08:48:03.696000", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c942169a345feccec332cd", "name": "Miscellaneous Attack - https://house.mo.gov/", "description": "Researchers at the University of Missouri in Missouri have published their results on a new web server called \"revisor.com\" (revisors.mo.gov) for the next three years..", "modified": "2024-03-12T21:02:15.675000", "created": "2024-02-11T21:54:30.139000", "tags": [ "threat analyzer", "threat", "paste", "iocs", "urls https", "showcctrue", "locationchamber", "viewmode3", "analyze", "hostname", "samples", "url https", "span", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "input", "iframe", "body", "form", "error", "night", "bill", "february", "hybrid", "general", "local", "click", "strings", "footer", "no data", "tag count", "count blacklist", "tag tag", "heim", "a domains", "as393601 state", "united", "link", "object", "title", "statutes", "passive dns", "urls", "cname", "meta", "date", "encrypt", "aaaa", "as8987 amazon", "nxdomain", "whitelisted", "a nxdomain", "scan endpoints", "next", "all octoseek", "ipv4", "trojan", "verdana", "x content", "x xss", "sameorigin x", "pulse submit", "unknown", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "as397241", "name servers", "center oak", "city sterling", "code us", "name security", "phone number", "postal code", "pulse pulses", "files", "representative rex", "threat report", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "session", "session floor", "hearings", "sunday", "missouri", "filter view", "new recordings", "no filter", "session jcr", "hearing house", "live", "label", "core", "script urls", "r3 dv", "tls ca" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 81, "FileHash-SHA256": 263, "URL": 704, "domain": 368, "hostname": 467, "email": 1 }, "indicator_count": 2014, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b6b54d59d24b1522364fd6", "name": "AiCloud - Comcast Dnspionage", "description": "AiCloud, a cloud-based app that connects to Apple and Google, has been compromised by a malicious virus.", "modified": "2024-02-27T19:04:14.842000", "created": "2024-01-28T20:13:01.311000", "tags": [ "prefetch8", "command decode", "prefetch1", "suricata ipv4", "suricata udpv4", "mitre att", "united", "ck id", "show technique", "ck matrix", "date", "hybrid", "general", "click", "strings", "contact", "passive dns", "as7922 comcast", "x ua", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "meta", "status", "creation date", "search", "record value", "expiration date", "name servers", "next", "ai cloud", "cname", "as7018 att", "win32", "entries", "unknown", "body", "no redirect", "dynamicloader", "msie", "windows nt", "as16509", "medium", "default", "show", "copy", "powershell", "write", "pegasus", "apple mobile", "content", "nso group", "apple web", "apple app capable", "typosquatting", "spyware", "epoch" ], "references": [ "c-67-181-73-197.hsd1.ca.comcast.net", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 522, "URL": 1194, "domain": 440, "FileHash-SHA256": 1528, "CVE": 1, "email": 2, "FileHash-MD5": 297, "FileHash-SHA1": 297 }, "indicator_count": 4281, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b806e2724db65b47cf66e0", "name": "AiCloud - Comcast Dnspionage", "description": "", "modified": "2024-02-27T19:04:14.842000", "created": "2024-01-29T20:13:22.271000", "tags": [ "prefetch8", "command decode", "prefetch1", "suricata ipv4", "suricata udpv4", "mitre att", "united", "ck id", "show technique", "ck matrix", "date", "hybrid", "general", "click", "strings", "contact", "passive dns", "as7922 comcast", "x ua", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "meta", "status", "creation date", "search", "record value", "expiration date", "name servers", "next", "ai cloud", "cname", "as7018 att", "win32", "entries", "unknown", "body", "no redirect", "dynamicloader", "msie", "windows nt", "as16509", "medium", "default", "show", "copy", "powershell", "write", "pegasus", "apple mobile", "content", "nso group", "apple web", "apple app capable", "typosquatting", "spyware", "epoch" ], "references": [ "c-67-181-73-197.hsd1.ca.comcast.net", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": "65b6b54d59d24b1522364fd6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 522, "URL": 1194, "domain": 440, "FileHash-SHA256": 1528, "CVE": 1, "email": 2, "FileHash-MD5": 297, "FileHash-SHA1": 297 }, "indicator_count": 4281, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "Ransomware Report: https://www.hybrid-analysis.com/sample/c58e07f62f576d36567d74ca25bdff8374231e7985ff05a10bffbc5cb4296904/66ccf708c605284e0a0aea74", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "https://www.youtube.com/watch?v=GyuMozsVyYs", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "newrelic.se", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "hive21.ctcsoftware.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "www.moxa.com", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://api.wavebrowserbase.com", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "bundled.toolbar.google | http://bundled.toolbar.google/http:/toolbar.google.| toolbar.google | https://bundled.toolbar.google/", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "http://www.tabxexplorer.com [phishing]", "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "cdn.easykeys.com", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "http://www.tabxexplorer.com/lenovo", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "nr-data.net [Apple Private Data Collection]", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "Yara Detection: Nullsoft_NSIS", "https://bundled.toolbar.google | http://toolbar.google.| http://bundled.toolbar.google/ | http://bundled.toolbar.google", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "c-67-181-73-197.hsd1.ca.comcast.net", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "cryptpad.effi.org | cryptpad-sandbox.effi.org | www2.effi.org | tor.effi.org | tor-ou.effi.org", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "HOSTEDBYAPPLIEDI.NET - Enom", "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "op.lunistra.com | api.demand-iq.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Ransom: message.htm.com", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "0-w5-cms.ultimate-guitar.com", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Ryuk: kramtechnology.com", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]", "Ryuk: http://kramtechnology.com/", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "identity_helper.exe", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Botnet Server IP: 141.226.230.48", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "ns3.hallgrandsale.ru", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Tulach Malware: 114.114.114.114", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "https://www.virustotal.com/graph/http%3A%2F%2Fbbd383ttka22.top%2Fprize%2Fluckyus-ad%2Fnigh.php%3Fc%3D69zejibbz5fz1%26k%3D987ad34e7843dd8f3a3cb6559f188769%26country_code%3DUS%26country_name%3DUnited%2520States%26region%3DNew%2520York%26city%3DPlainview%26isp%3DMCI%2520Communications%2520Services%2C%2520Inc.%2520d%2Fb%2Fa%2520Verizon%2520Business%26lang%3Dja%26ref_domain%3D%26os%3DiOS%26osv%3D16%26browser%3DChrome%26browserv%3D115%26brand%3DApple%26model%3DiPhone%26marketing_name%3DiPhone%26tablet%3D2%26rheig", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "www2.effi.org\t | tor.effi.org | tor-ou.effi.org" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Out For Blood" ], "malware_families": [ "Elf:mirai-gh\\ [trj]", "Hacktool:win32/atosev.a", "Trojandownloader:win32/nemucod", "Webtoolbar", "Virus.ramnit/nimnul", "Win.malware.generickdz-9938530-0", "Alf:heraklezeval:trojanspy:win32/socstealer", "Generic", "Trojanspy", "Alf:trojan:msil/agenttesla.km", "Win.downloader.small-1645", "Trojandownloader:win32/cutwail", "Trojandownloader:win32/cutwail.bs", "Trojan:win32/scrarev.c", "Backdoor:win32/likseput.b", "Tulach", "Cobalt strike", "Pegasus", "Alf:win32/gbdinf_305b1c9a.j!ibt", "Trojandownloader:win32/upatre", "Hallrender", "Sabey", "Ai:fileinfector.eaeea7850c", ", win.worm.pykspa-6057105-0", "Win32:renos-ky\\ [trj]", "Pws:win32/qqpass.b!mtb", "Emotet", "Wat:blacked-e", "Maltiverse", "Hacktool:win32/cobaltstrike.a", "Mirai", "Virus:win32/sality.at", "Backdoor.xtreme", "Pup/hacktool", "W32.aidetectmalware.cs", "Cl0p", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojan.msil.injurer.cbd", "Worm:win32/benjamin", "Androidoverlaymalware - mob-s0012", "Win32:rmndrp [inf]", "Trojan:win32/zombie.a", "Win.virus.pioneer-9111434-0", "Ransom", "Unix.trojan.darknexus-7679166-0", "Virus:win32/floxif.h", "Worm:win32/pykspa.c", "Trojan:win32/speesipro.a", "Trojan.crifi.1" ], "industries": [ "Telecommunications", "Technology", "Private sector", "Civil society", "Healthcare", "Crime victims", "Media" ], "unique_indicators": 82549 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/imoneso.cn", "whois": "http://whois.domaintools.com/imoneso.cn", "domain": "imoneso.cn", "hostname": "safe.imoneso.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "66cd0d8da99ad679a1e5049b", "name": "VirusTotal Cl0p Ransomware Attack", "description": "Virustotal Ransomware attack when attempting to evaluate malicious link : http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States®ion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Residual Cl0p Ransomware attack seen. \n\nAll Tags , Malware Families and Mitre ATT&CK results: Auto-populated.", "modified": "2024-09-25T22:04:23.320000", "created": "2024-08-26T23:19:41.093000", "tags": [ "please", "javascript", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "suricata ipv4", "united", "date", "suricata udpv4", "meta", "general", "twitter", "click", "strings", "virustotal", "body", "contact", "heur", "cisco umbrella", "malware", "site", "safe site", "suspected", "malware site", "filerepmetagen", "malicious site", "alexa top", "iframe", "wacatac", "downldr", "crack", "filetour", "cleaner", "exploit", "presenoker", "agent", "conduit", "riskware", "acint", "behav", "genkryptik", "phishing", "azorult", "cobalt strike", "runescape", "facebook", "bank", "download", "xrat", "installcore", "patcher", "adload", "cl0p", "trojanspy", "webtoolbar", "detection list", "blacklist", "mail spammer", "phishing site", "ip address", "malicious url", "ascii text", "et tor", "known tor", "misc attack", "pattern match", "relayrouter", "exit", "node traffic", "local", "core", "no data", "analyzer threat", "ip summary", "summary", "spammer", "node tcp", "traffic", "tor known", "ssh attacker", "attacker", "hostile host", "threats et", "cl0p ransomware", "analyzer paste", "iocs", "entity" ], "references": [ "https://www.virustotal.com/graph/http%3A%2F%2Fbbd383ttka22.top%2Fprize%2Fluckyus-ad%2Fnigh.php%3Fc%3D69zejibbz5fz1%26k%3D987ad34e7843dd8f3a3cb6559f188769%26country_code%3DUS%26country_name%3DUnited%2520States%26region%3DNew%2520York%26city%3DPlainview%26isp%3DMCI%2520Communications%2520Services%2C%2520Inc.%2520d%2Fb%2Fa%2520Verizon%2520Business%26lang%3Dja%26ref_domain%3D%26os%3DiOS%26osv%3D16%26browser%3DChrome%26browserv%3D115%26brand%3DApple%26model%3DiPhone%26marketing_name%3DiPhone%26tablet%3D2%26rheig", "bundled.toolbar.google | http://bundled.toolbar.google/http:/toolbar.google.| toolbar.google | https://bundled.toolbar.google/", "https://bundled.toolbar.google | http://toolbar.google.| http://bundled.toolbar.google/ | http://bundled.toolbar.google", "cryptpad.effi.org | cryptpad-sandbox.effi.org | www2.effi.org | tor.effi.org | tor-ou.effi.org", "www2.effi.org\t | tor.effi.org | tor-ou.effi.org", "op.lunistra.com | api.demand-iq.com", "Ransomware Report: https://www.hybrid-analysis.com/sample/c58e07f62f576d36567d74ca25bdff8374231e7985ff05a10bffbc5cb4296904/66ccf708c605284e0a0aea74" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "hostname": 132, "FileHash-SHA256": 278, "FileHash-MD5": 138, "FileHash-SHA1": 65, "SSLCertFingerprint": 8, "URL": 269, "CVE": 8 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692cf0e2273bb06aa43e43c", "name": "Banker: Through The Nights - YouTube | Errors |", "description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.", "modified": "2024-08-12T18:02:56.458000", "created": "2024-07-13T19:01:34.484000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "low risk", "domain", "no malware", "found", "site", "ip address", "google network", "unknown", "low security", "risk", "hacked", "protect", "path", "secure", "httponly", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "samesitenone", "http response", "final url", "status code", "body length", "kb body", "pragma", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "jess", "tsara brashears", "zafira songs", "youtube og", "hope", "html info", "meta tags", "data", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "key algorithm", "name", "whois lookup", "create date", "expiry date", "query time", "update date", "update", "passive dns", "gmt content", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "urls", "files", "related pulses", "error", "code", "algorithm", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 343, "SSLCertFingerprint": 8, "URL": 333, "domain": 69, "hostname": 165 }, "indicator_count": 924, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603369ad0e38e313883c4fa", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:56:58.037000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 4468, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://safe.imoneso.cn/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://safe.imoneso.cn/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776643439.512922 }