{ "type": "URL", "indicator": "https://search.cachesdata.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://search.cachesdata.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3752888587, "indicator": "https://search.cachesdata.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "66ce3eb4b4f1fc9eafb4b572", "name": "DDoS:Linux/Lightaidra | Mirai Botnet on US a State Computer", "description": "*Mirai Botnet on Colorado State computer. Im starting to wonder if potential problem cases are diverted to a botnet.\n1. Overlaps with a Colorado victim. Similar issues. I Recently became a senior in expensive Colorado, never compensated for workers compensation injury exacerbated when suddenly tossed a 60 lb weighted ball under care. Denied diagnoses of severe injury after toss. Complained, case closed, lawyers denied case after accepting case. Referred to JeffCo seeking assisted living resources. Was sent various packets with a variety of phone numbers, email addresses, etc. She keeps speaking to same man no matter what option chosen. Denied workforce training due to severity of injuries, No SSI or SSDI until years later. \n2. I can't pulse half of what I've researched without using multiple resources. No more 'contacted' made when new serious issues found. Pulses being modified. I rarely modify any pulse.", "modified": "2024-09-26T20:01:27.723000", "created": "2024-08-27T21:01:40.251000", "tags": [ "memcommit", "read c", "nospltezraxuf", "writeconsolea", "write", "CVE-2023-22518", "tesla", "ye ye", "incapril", "yed ye", "yet ye", "yexe ye", "security", "search", "function read", "dll read", "installer", "april", "copy", "win32", "template", "creation date", "servers", "passive dns", "urls", "name servers", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "date", "windows", "medium", "shellexecuteexw", "hash", "show", "writeconsolew", "entries", "displayname", "sddl", "service", "august", "malware", "url http", "http", "ip address", "related nids", "files location", "domain", "status", "nxdomain", "whitelisted", "certificate", "backdoor", "record value", "body", "as15133 verizon", "united", "unknown", "mtb aug", "gmt server", "ecacc sed5906", "ransom", "trojan", "high", "cname", "as8075", "ipv4", "files", "asn as55720", "date hash", "default", "delete", "yara detections", "msvisualcpp60", "related pulses", "rootkit", "as16276", "canada unknown", "pulses", "expiration date", "exploit", "showing", "aaaa", "france unknown", "mtb sep", "worm", "msil", "mirai", "as36081 state", "reverse dns", "port", "destination", "south korea", "taiwan as3462", "as4766 korea", "asnone", "japan as17676", "china as4134", "china as4837", "file samples", "files matching", "next", "copyright", "levelblue", "as20940", "as15169 google", "ave suite", "purpose p5", "country united", "code us", "as41231", "united kingdom", "ddos", "sha256", "filehash", "av detections", "location london", "great britain", "gnulinux apt", "yara rule", "ids detections", "top source", "address", "as23969", "thailand" ], "references": [ "In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us", "Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received", "Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo", "Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com", "Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA", "Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM", "Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us", "Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Overlaps: 4 others mailed information email address.", "Ransom:Win32/WannaCrypt.H", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147", "AS36081 State of Colorado General Government Computer", "Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Detections Executable and linking format (ELF) file download Over HTTP |", "FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209", "Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198", "Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com", "FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c", "Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us", "https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932", "https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK", "redirect.wuxs.icu", "https://a-a.redirector.navexglobal.com/navex_hosting/404.html", "https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Malware.Dxqo-6984072-0", "display_name": "Win.Malware.Dxqo-6984072-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Win32/Fynloski", "display_name": "Backdoor:Win32/Fynloski", "target": "/malware/Backdoor:Win32/Fynloski" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "TELPER:DDoS:Linux/Lightaidra", "display_name": "TELPER:DDoS:Linux/Lightaidra", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [ "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 675, "FileHash-SHA1": 664, "FileHash-SHA256": 3327, "URL": 2448, "domain": 656, "hostname": 1281, "email": 11 }, "indicator_count": 9064, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d85bc3164cd519bc4a282d", "name": "Win32:RansomX-gen\\ [Ransom] \u2022 Win32:MalwareX-gen\\ [Trj]", "description": "https://otx.alienvault.com/indicator/ doesn't finish loading. Unable to analyze detections.\nnetwork_icmp\nallocates_rwx\npacker_entropy\nhas_pdb\npe_unknown_resource_name\nsysinternals_tools_usage\nallocates_rwx\nsuspicious_process", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T08:48:03.696000", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d8c371cc0957afd9195ae0", "name": ":MalwareX-gen\\ [Trj]", "description": "", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T16:10:26", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "65d85bc3164cd519bc4a282d", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab5eb4d0a233bf6f32edb", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:20:59.154000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab601f0d674294b603758", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:21.869000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab60667f8205c19d6b67b", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:26.244000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab616bb5869335d184ae7", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:42.183000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a921559dd331e2b31e4c", "name": "Brontok", "description": "", "modified": "2023-12-06T17:02:25.638000", "created": "2023-12-06T17:02:25.638000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 21, "hostname": 432, "domain": 161, "FileHash-SHA256": 714, "URL": 750, "FileHash-MD5": 1400, "FileHash-SHA1": 706, "Mutex": 1, "FilePath": 1, "URI": 1 }, "indicator_count": 4187, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a79534c615a8f10f3380", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "", "modified": "2023-12-06T16:55:49.669000", "created": "2023-12-06T16:55:49.669000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2383, "hostname": 1027, "domain": 418, "URL": 2673, "FileHash-MD5": 99, "FileHash-SHA1": 98 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cc4de6aa3848c3722e9a6", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "Serious concerns. Approached, threatened & told no cyber tool or literature would help me by a stranger in public place seconds after a male demanded to know if I had a SQL book or knowledge, asked for phone #, a date , to buy only 2 books and come with him? WHAT? He really wanted my number not me. he got so close to, I thought he had a wearable hacktool device. Ongoing. I realized dumping when I typed, the letter T only for another search term, results = Tsara Brashears dead? Clean search browser history. No Auto DL file titled: government Qbot Qakbot?! I couldn't open it. Last night I got a free unauthorized penetration test, apps, awful attack. Adult content dumping from listed in references. . I don't attack is China based despite server locations.. It's too easy to appear to be attacking from another country. Can't make it up. Ongoing long. Major disruption. Issue predates research.", "modified": "2023-11-15T01:03:46.666000", "created": "2023-10-16T05:06:38.412000", "tags": [ "whois record", "tsara brashears", "contacted", "threat roundup", "whois whois", "remcos", "iocs", "cyberstalking", "cry kill", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "malware", "awful", "open", "korplug", "execution", "pe resource", "referrer", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "quasar", "ursnif", "name verdict", "falcon sandbox", "sha256", "size", "sha1", "show process", "runtime process", "unicode", "crlf line", "ascii text", "mitre att", "type data", "hybrid", "general", "local", "path", "click", "strings", "nanjing xinfeng", "xiongmao group", "road descr", "district", "nanjing", "jiangsu", "china country", "apnic irt", "beijing", "china email", "copy md5", "copy sha1", "copy sha256", "AMERICA", "threat", "cyber criminal", "teams", "bounce", "Please Stop \u2205", "eminent threat", "Apple", "Android", "adversarial", "injection", "Tulach.cc malware", "scanning_host", "exploit_source", "ransomware" ], "references": [ "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "114.114.114.114", "http://login.live.com/oauth20_remoteconnect.srf", "a-poster.info", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "[Unnamed Teams Hacking Group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Wanna Cry Kill Switch", "display_name": "Wanna Cry Kill Switch", "target": null }, { "id": "RansomEXX (Windows)", "display_name": "RansomEXX (Windows)", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "FileHash-SHA256": 1478, "domain": 290, "hostname": 1047, "FilePath": 2, "Mutex": 1, "CVE": 2, "CIDR": 1, "email": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "886 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652ac38b58830eb3825f84e8", "name": "Brontok", "description": "Colorado Malicious link found in Colorado Secretary of State Website. \n.\nhttps://www.sos.state.co.us/ucc/pages/biz/bizSearch.xhtml \nCritical vulnerabilities:\nVNC Server Authentication-less; The VNC server installed on the remote host allows an attacker to connect to the remote host as no authentication is required to access this service.\n\nBrontok: a computer worm running on Microsoft Windows \n\nRedLine Stealer: infostealer malware stealing password credentials, credit card numbers, etc,. \n\nVulnerable to CVE exploits: 21 CVE's over time.\ncyber criminal web attack?", "modified": "2023-11-13T15:00:53.499000", "created": "2023-10-14T16:36:27.390000", "tags": [ "united", "proxy", "firehol", "anonymizer", "host", "team malware", "noname057", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "phishing site", "malicious site", "artemis", "installcore", "unsafe", "alexa", "redline stealer", "outbreak", "iobit", "dropper", "crack", "riskware", "acint", "conduit", "installpack", "mediaget", "live", "presenoker", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "agent", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "team", "unruy", "trojanx", "webshell", "exploit", "maltiverse", "generic malware", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "site top", "html", "malware site", "win64", "opencandy", "phishing", "fusioncore", "wacatac", "iframe", "downldr", "softcnapp", "cleaner", "tiggre", "vidar", "raccoon", "union", "xtrat", "bank", "cve201711882", "phish", "nsis", "xrat", "stealer", "download", "first", "vnc", "slimware", "trojanspy", "blacklist https", "Phishing Banco De Brasil", "remote", "msil, rat,revenge-rat -evasive" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VNC", "display_name": "VNC", "target": null }, { "id": "Slimware", "display_name": "Slimware", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "PUP.Bundler", "display_name": "PUP.Bundler", "target": null }, { "id": "DangerousObject. Agent", "display_name": "DangerousObject. Agent", "target": null }, { "id": "WebToolBar.Backdoor", "display_name": "WebToolBar.Backdoor", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "NBAE", "display_name": "NBAE", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 21, "domain": 161, "hostname": 432, "FileHash-MD5": 1400, "FileHash-SHA1": 706, "FileHash-SHA256": 714, "URL": 750, "Mutex": 1, "FilePath": 1, "URI": 1 }, "indicator_count": 4187, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d0b195d4b6afe502318", "name": "Brontok", "description": "", "modified": "2023-11-13T15:00:53.499000", "created": "2023-10-30T03:03:39.499000", "tags": [ "united", "proxy", "firehol", "anonymizer", "host", "team malware", "noname057", "cisco umbrella", "heur", "site", "safe site", "malware", "alexa top", "million", "phishing site", "malicious site", "artemis", "installcore", "unsafe", "alexa", "redline stealer", "outbreak", "iobit", "dropper", "crack", "riskware", "acint", "conduit", "installpack", "mediaget", "live", "presenoker", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "agent", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "team", "unruy", "trojanx", "webshell", "exploit", "maltiverse", "generic malware", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "site top", "html", "malware site", "win64", "opencandy", "phishing", "fusioncore", "wacatac", "iframe", "downldr", "softcnapp", "cleaner", "tiggre", "vidar", "raccoon", "union", "xtrat", "bank", "cve201711882", "phish", "nsis", "xrat", "stealer", "download", "first", "vnc", "slimware", "trojanspy", "blacklist https", "Phishing Banco De Brasil", "remote", "msil, rat,revenge-rat -evasive" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VNC", "display_name": "VNC", "target": null }, { "id": "Slimware", "display_name": "Slimware", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "PUP.Bundler", "display_name": "PUP.Bundler", "target": null }, { "id": "DangerousObject. Agent", "display_name": "DangerousObject. Agent", "target": null }, { "id": "WebToolBar.Backdoor", "display_name": "WebToolBar.Backdoor", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "NBAE", "display_name": "NBAE", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "652ac38b58830eb3825f84e8", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 21, "domain": 161, "hostname": 432, "FileHash-MD5": 1400, "FileHash-SHA1": 706, "FileHash-SHA256": 714, "URL": 750, "Mutex": 1, "FilePath": 1, "URI": 1 }, "indicator_count": 4187, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6519c4b76612eda702942ad6", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "Info Stealer\nET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 789", "modified": "2023-10-31T16:03:29.760000", "created": "2023-10-01T19:12:55.573000", "tags": [ "ssl certificate", "contacted", "whois record", "execution", "bundled", "resolutions", "referrer", "communicating", "network", "historical ssl", "malware", "twitter", "hacktool", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 98, "FileHash-SHA256": 2383, "URL": 2673, "domain": 418, "hostname": 1027 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "901 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1344cd54f3a86745a617", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "", "modified": "2023-10-31T16:03:29.760000", "created": "2023-10-30T02:21:56.497000", "tags": [ "ssl certificate", "contacted", "whois record", "execution", "bundled", "resolutions", "referrer", "communicating", "network", "historical ssl", "malware", "twitter", "hacktool", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6519c4b76612eda702942ad6", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 98, "FileHash-SHA256": 2383, "URL": 2673, "domain": 418, "hostname": 1027 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "901 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us", "http://login.live.com/oauth20_remoteconnect.srf", "Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA", "In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us", "Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us", "https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932", "https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "https://www.sweetheartvideo.com/tsara-brashears/", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c", "Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM", "Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "a-poster.info", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209", "Overlaps: 4 others mailed information email address.", "Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147", "Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "Detections Executable and linking format (ELF) file download Over HTTP |", "https://a-a.redirector.navexglobal.com/navex_hosting/404.html", "Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication", "114.114.114.114", "redirect.wuxs.icu", "Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com", "https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK", "AS36081 State of Colorado General Government Computer", "Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ransom:Win32/WannaCrypt.H", "Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed Teams Hacking Group]" ], "malware_families": [ "Win.malware.fileinfector-9834127-0", "Worm:win32/mofksys", "Wanna cry kill switch", "Trojan:win32/cryptinject.sd!mtb", "Daxin", "Quasar rat", "Nbae", "Cobalt strike", "Alf:trojan:msil/agenttesla.km", "Azorult - s0344", "Gregory", "Slimware", "Ransomexx (windows)", "Pup.bundler", "Backdoor:win32/fynloski", "Maltiverse", "Win.malware.dxqo-6984072-0", "Qakbot - s0650", "Remcos", "Hacktool", "Dark power", "Dangerousobject. agent", "Telper:ddos:linux/lightaidra", "Ransom:win32/wannacrypt", "Trojanspy", "Mirai", "Njrat - s0385", "Webtoolbar.backdoor", "Nanocore rat", "Win.trojan.cobaltstrike-9044898-1", "Vnc", "Win32:trojan-gen", "Emotet b" ], "industries": [ "Telecom" ], "unique_indicators": 39989 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cachesdata.com", "whois": "http://whois.domaintools.com/cachesdata.com", "domain": "cachesdata.com", "hostname": "search.cachesdata.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "66ce3eb4b4f1fc9eafb4b572", "name": "DDoS:Linux/Lightaidra | Mirai Botnet on US a State Computer", "description": "*Mirai Botnet on Colorado State computer. Im starting to wonder if potential problem cases are diverted to a botnet.\n1. Overlaps with a Colorado victim. Similar issues. I Recently became a senior in expensive Colorado, never compensated for workers compensation injury exacerbated when suddenly tossed a 60 lb weighted ball under care. Denied diagnoses of severe injury after toss. Complained, case closed, lawyers denied case after accepting case. Referred to JeffCo seeking assisted living resources. Was sent various packets with a variety of phone numbers, email addresses, etc. She keeps speaking to same man no matter what option chosen. Denied workforce training due to severity of injuries, No SSI or SSDI until years later. \n2. I can't pulse half of what I've researched without using multiple resources. No more 'contacted' made when new serious issues found. Pulses being modified. I rarely modify any pulse.", "modified": "2024-09-26T20:01:27.723000", "created": "2024-08-27T21:01:40.251000", "tags": [ "memcommit", "read c", "nospltezraxuf", "writeconsolea", "write", "CVE-2023-22518", "tesla", "ye ye", "incapril", "yed ye", "yet ye", "yexe ye", "security", "search", "function read", "dll read", "installer", "april", "copy", "win32", "template", "creation date", "servers", "passive dns", "urls", "name servers", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "date", "windows", "medium", "shellexecuteexw", "hash", "show", "writeconsolew", "entries", "displayname", "sddl", "service", "august", "malware", "url http", "http", "ip address", "related nids", "files location", "domain", "status", "nxdomain", "whitelisted", "certificate", "backdoor", "record value", "body", "as15133 verizon", "united", "unknown", "mtb aug", "gmt server", "ecacc sed5906", "ransom", "trojan", "high", "cname", "as8075", "ipv4", "files", "asn as55720", "date hash", "default", "delete", "yara detections", "msvisualcpp60", "related pulses", "rootkit", "as16276", "canada unknown", "pulses", "expiration date", "exploit", "showing", "aaaa", "france unknown", "mtb sep", "worm", "msil", "mirai", "as36081 state", "reverse dns", "port", "destination", "south korea", "taiwan as3462", "as4766 korea", "asnone", "japan as17676", "china as4134", "china as4837", "file samples", "files matching", "next", "copyright", "levelblue", "as20940", "as15169 google", "ave suite", "purpose p5", "country united", "code us", "as41231", "united kingdom", "ddos", "sha256", "filehash", "av detections", "location london", "great britain", "gnulinux apt", "yara rule", "ids detections", "top source", "address", "as23969", "thailand" ], "references": [ "In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us", "Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received", "Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo", "Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: BotnetSinkhole@gmail.com", "Emails: abuse@namecheap.com Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA", "Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM", "Notable: Mirai - 192.70.175.110 Security Operations (DORA?) oit_isocsecurity@state.co.us | state.co.us | Reverse DNS dns1.state.co.us", "Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Overlaps: 4 others mailed information email address.", "Ransom:Win32/WannaCrypt.H", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147", "AS36081 State of Colorado General Government Computer", "Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication", "ELF:Mirai-AII\\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Detections Executable and linking format (ELF) file download Over HTTP |", "FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9", "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]", "77882 IP\u2019s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209", "Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198", "Yara Detections: gafgyt IP\u2019s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com", "FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c", "Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us", "https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932", "https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK", "redirect.wuxs.icu", "https://a-a.redirector.navexglobal.com/navex_hosting/404.html", "https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Malware.Dxqo-6984072-0", "display_name": "Win.Malware.Dxqo-6984072-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Win32/Fynloski", "display_name": "Backdoor:Win32/Fynloski", "target": "/malware/Backdoor:Win32/Fynloski" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "TELPER:DDoS:Linux/Lightaidra", "display_name": "TELPER:DDoS:Linux/Lightaidra", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [ "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 675, "FileHash-SHA1": 664, "FileHash-SHA256": 3327, "URL": 2448, "domain": 656, "hostname": 1281, "email": 11 }, "indicator_count": 9064, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d85bc3164cd519bc4a282d", "name": "Win32:RansomX-gen\\ [Ransom] \u2022 Win32:MalwareX-gen\\ [Trj]", "description": "https://otx.alienvault.com/indicator/ doesn't finish loading. Unable to analyze detections.\nnetwork_icmp\nallocates_rwx\npacker_entropy\nhas_pdb\npe_unknown_resource_name\nsysinternals_tools_usage\nallocates_rwx\nsuspicious_process", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T08:48:03.696000", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d8c371cc0957afd9195ae0", "name": ":MalwareX-gen\\ [Trj]", "description": "", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T16:10:26", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "65d85bc3164cd519bc4a282d", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab5eb4d0a233bf6f32edb", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:20:59.154000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab601f0d674294b603758", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:21.869000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab60667f8205c19d6b67b", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:26.244000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab616bb5869335d184ae7", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:42.183000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a921559dd331e2b31e4c", "name": "Brontok", "description": "", "modified": "2023-12-06T17:02:25.638000", "created": "2023-12-06T17:02:25.638000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 21, "hostname": 432, "domain": 161, "FileHash-SHA256": 714, "URL": 750, "FileHash-MD5": 1400, "FileHash-SHA1": 706, "Mutex": 1, "FilePath": 1, "URI": 1 }, "indicator_count": 4187, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a79534c615a8f10f3380", "name": "Qakbot | Info Stealer | Sourced: Part-RU", "description": "", "modified": "2023-12-06T16:55:49.669000", "created": "2023-12-06T16:55:49.669000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2383, "hostname": 1027, "domain": 418, "URL": 2673, "FileHash-MD5": 99, "FileHash-SHA1": 98 }, "indicator_count": 6698, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://search.cachesdata.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://search.cachesdata.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776620157.0309944 }