{ "type": "URL", "indicator": "https://securemail.state.co", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://securemail.state.co", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3619462805, "indicator": "https://securemail.state.co", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "682d481cb7ed0e71682f8309", "name": "Plumix 41:1c:fc:08:65:49:a7:e3:91:67:ab:94:82:bf:2c:0f:af:e4:24:2a 2018-08-08 bis 2292-05-22", "description": "Plumix.com\nSerwer nazw domen\nns2.nazwa.pl , ns1.nazwa.pl", "modified": "2025-06-20T03:02:24.594000", "created": "2025-05-21T03:27:24.351000", "tags": [ "dht penomocnik", "anycast voip", "dht kopalnia", "chmura dht", "amazonaes", "akamai poczona", "chmura chmura", "dnparking dht", "porwany", "dnparking", "amazon02 spam", "4 zapisy", "cname", "mx a" ], "references": [ "Plumix.com", "https://www.virustotal.com/graph/embed/gcbfc9c0da50d4e0b826b5d57" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "SSLCertFingerprint": 1, "hostname": 387, "domain": 338, "FileHash-SHA256": 198, "URL": 958 }, "indicator_count": 1882, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e846796e72bee6be87c110", "name": "C:\\Program Files\\Microsoft Office\\root\\", "description": "C:\\Program Files\\Microsoft Office\\root\\\n\nIocs sampled from the directory: C:\\Program Files\\Microsoft Office\\root\\ (from an infected windows 11 sample PC)\nNot complete, will expand upon it later.\nUnder C:\\Program Files\\Microsoft Office there is...\n4x File Folders, 3x Edge HTML Docs", "modified": "2024-10-16T19:04:17.209000", "created": "2024-09-16T14:53:45.370000", "tags": [ "entity", "please", "javascript", "clientid", "platformwin32", "buildship", "architecturex86", "osbuild7601", "channeldcwin7", "installtypec2r", "sessionid" ], "references": [ "https://www.virustotal.com/graph/embed/g8c4e1b9704cb478f92c4fbb255016abe5beee3a86be54a118c68677c8976dcf7?theme=dark", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/iocs", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 3981, "URL": 685, "domain": 476, "hostname": 748 }, "indicator_count": 6178, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331580cd1571f730b8de2", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.242000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a77022ab8eb59e186099", "name": "scan_host", "description": "", "modified": "2023-12-06T16:55:12.020000", "created": "2023-12-06T16:55:12.020000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a72f140326fa725a7583", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:54:07.518000", "created": "2023-12-06T16:54:07.518000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a71746cd05b8ffc71d86", "name": "Application Layer Protocol", "description": "", "modified": "2023-12-06T16:53:43.601000", "created": "2023-12-06T16:53:43.601000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6f9f0cb95f36a8590b6", "name": "Application Layer Protocol", "description": "", "modified": "2023-12-06T16:53:13.036000", "created": "2023-12-06T16:53:13.036000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6e151668215a7eb7ef6", "name": "Cyber Criminal Group", "description": "", "modified": "2023-12-06T16:52:49.885000", "created": "2023-12-06T16:52:49.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6cfa62bb520508659a6", "name": "NewOrder.doc", "description": "", "modified": "2023-12-06T16:52:31.959000", "created": "2023-12-06T16:52:31.959000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a581b1024ea61979da96", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "", "modified": "2023-12-06T16:46:57.782000", "created": "2023-12-06T16:46:57.782000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 5791, "hostname": 3255, "domain": 2317, "FileHash-MD5": 44, "FileHash-SHA1": 34, "URL": 11513 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3dd6b4fb6460f906d0b", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:39:57.080000", "created": "2023-12-06T16:39:57.080000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3cbf5835c0db09df031", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:39:39.015000", "created": "2023-12-06T16:39:39.015000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3ba609912d5c2688fda", "name": "&", "description": "", "modified": "2023-12-06T16:39:22.589000", "created": "2023-12-06T16:39:22.589000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3aab919327802eaa6c7", "name": "&", "description": "", "modified": "2023-12-06T16:39:06.882000", "created": "2023-12-06T16:39:06.882000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a39c62ca90307d3ed7a2", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:38:52.427000", "created": "2023-12-06T16:38:52.427000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a38ab6285fde4c69534d", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:38:34.581000", "created": "2023-12-06T16:38:34.581000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a378641e02b700e2c60b", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:38:16.858000", "created": "2023-12-06T16:38:16.858000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a368b24b94cdd5d344d0", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:38:00.732000", "created": "2023-12-06T16:38:00.732000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a3566f101265e303109f", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:37:42.071000", "created": "2023-12-06T16:37:42.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a341ad3da7ce846d2d7a", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:37:21.524000", "created": "2023-12-06T16:37:21.524000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a32e67d395236553d739", "name": "confer.pw", "description": "", "modified": "2023-12-06T16:37:02.495000", "created": "2023-12-06T16:37:02.495000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a31d3f7a17df14af4915", "name": "-_-", "description": "", "modified": "2023-12-06T16:36:45.040000", "created": "2023-12-06T16:36:45.040000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a30b4e663b75369851e3", "name": "", "description": "", "modified": "2023-12-06T16:36:27.088000", "created": "2023-12-06T16:36:27.088000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a2fa9421d107b6ade1bf", "name": "", "description": "", "modified": "2023-12-06T16:36:10.480000", "created": "2023-12-06T16:36:10.480000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a2e7cd51140a2423edf5", "name": "", "description": "", "modified": "2023-12-06T16:35:51.131000", "created": "2023-12-06T16:35:51.131000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a2d5e7d74f25c209652d", "name": "", "description": "", "modified": "2023-12-06T16:35:33.433000", "created": "2023-12-06T16:35:33.433000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a2c28401bda338adc15e", "name": "", "description": "", "modified": "2023-12-06T16:35:14.403000", "created": "2023-12-06T16:35:14.403000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a2ae16a2ac8b0bd23523", "name": "Hacker Group. Cyber Criminal Group", "description": "", "modified": "2023-12-06T16:34:54.869000", "created": "2023-12-06T16:34:54.869000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a29c2e97b9fce90093c3", "name": "STOP modifying my pulses. Unauthorized Login. ABUSE! Is this tool safe?", "description": "", "modified": "2023-12-06T16:34:36.087000", "created": "2023-12-06T16:34:36.087000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a28ac07b076a6022abbd", "name": "NewOrder.doc", "description": "", "modified": "2023-12-06T16:34:18.117000", "created": "2023-12-06T16:34:18.117000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a278b0d22cb077976227", "name": "scan_host", "description": "", "modified": "2023-12-06T16:34:00.462000", "created": "2023-12-06T16:34:00.462000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a265501145de92c5d159", "name": "Phishing", "description": "", "modified": "2023-12-06T16:33:41.886000", "created": "2023-12-06T16:33:41.886000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a2532d2d154345e475c2", "name": "Phishing", "description": "", "modified": "2023-12-06T16:33:23.968000", "created": "2023-12-06T16:33:23.968000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a2410b6595444a3fdd99", "name": "Phishing", "description": "", "modified": "2023-12-06T16:33:05.489000", "created": "2023-12-06T16:33:05.489000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a22d6bf14908e11e80d9", "name": "Malware Host", "description": "", "modified": "2023-12-06T16:32:45.581000", "created": "2023-12-06T16:32:45.581000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a219b919327802eaa6c6", "name": "Command and Control", "description": "", "modified": "2023-12-06T16:32:25.440000", "created": "2023-12-06T16:32:25.440000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a2084b4084d5432f5410", "name": "Command and Control", "description": "", "modified": "2023-12-06T16:32:08.088000", "created": "2023-12-06T16:32:08.088000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1f57ef682c90e8c88a4", "name": "Command and Control", "description": "", "modified": "2023-12-06T16:31:49.825000", "created": "2023-12-06T16:31:49.825000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1e3fa6efdc2e5fa11b3", "name": "Command and Control", "description": "", "modified": "2023-12-06T16:31:31.501000", "created": "2023-12-06T16:31:31.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657096426f25db0e546b0c8f", "name": "gala.games and home routers storing malware for theeat actors", "description": "", "modified": "2023-12-06T15:41:54.948000", "created": "2023-12-06T15:41:54.948000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 45, "FileHash-SHA1": 44, "FileHash-SHA256": 533, "domain": 64, "hostname": 266, "URL": 663 }, "indicator_count": 1616, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f219ce051cf01e9a6be8b", "name": "Speechless | Critical", "description": "", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-30T03:23:08.790000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f2100b535d359accfc3a6", "name": "CVE JAR Found | Massive active Malicious | Tulach & AIG associated | Scam", "description": "", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-30T03:20:32.349000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": "653960d6d09796c4ba4c1e90", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653977171f690fb9ab978bf3", "name": "Speechless | Critical", "description": "Cyber threat. Target Tsara Brashears is now Tsara Brashears Malware. Looks like an investigation, might be a legitimate investigation. I have no insight as to whether investigation is warranted, staged, or silencing?? \nVerdict:\nAdversarial monitoring, harassment, Libel, cyber crime by a genius exploiting regulations and escalation privileges. Target at high risk.", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T20:14:14.532000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653960d6d09796c4ba4c1e90", "name": "CVE JAR Found | Massive active Malicious | unlatched issues", "description": "Monitoring Tsara Brashears - Extreme cyber attack against documented as alleged SA victim. Non-Adversarial Tsara Brashears inflicted with highly malicious Malware auto populated. Massive online attack on Tsara Brashears defaced digital profile. Attacks primarily by Adversarial Tulach malware.\nDaisy Coleman [deceased] moderate malware attack against target a documented SA survivor.\nThis is a revenge attacker. \nPhysical harm imminence [HIGH] SOS\nEdward Snowden speaks of similar attacks against American citizen. Was target warned of malware status or massive attack. Made aware of Botnet by any authority?", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T18:39:18.723000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://dns1.whitelist.camect.com [interesting]", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/iocs", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "20.190.160.73 Microsoft [exploit_source]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "watson.events.data.microsoft.com [traffic manager]", "tulach.cc [Adversarial Malware Attack Source]", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "0-1.duckdns.org [malicious]", "http://www.sos.state.co/ [interesting]", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "mobile.twitter.com [titled hashtag Daisy Coleman]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "www.anyxxxtube.net [tracking]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "https://www.virustotal.com/graph/embed/g8c4e1b9704cb478f92c4fbb255016abe5beee3a86be54a118c68677c8976dcf7?theme=dark", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/graph", "findbetterresults.com", "https://www.jbits.courts.state.co [interesting]", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "https://www.apple.com/qtactivex/qtplugin.cab", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "aig.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "104.200.22.130 Command and Control", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "apple-dns.net. [Apple email collection]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "20.190.160.67 Microsoft [exploit_source]", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "20.190.160.2 Microsoft [exploit_source]", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "www2.megawebfind.com [command_and_control]", "newrelic.se [Apple Collection]", "nr-data.net [ Hidden private Apple data collection]", "12 CVE exploits posted in 'scoreblue' CVE tally", "http://www.screensaver.com/ruxitbeacon", "watson.telemetry.microsoft.us [Data traffic manager]", "https://www.virustotal.com/graph/embed/gcbfc9c0da50d4e0b826b5d57", "103.224.212.34 scanning_host", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "init-p01st.push.apple.com", "msftconnecttest.com", "Plumix.com", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "Crowdsourced YARA Rulesets", "https://pin.it/ [SQLi Dumper]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Dark power", "Artemis", "Emotet", "Daisy coleman", "Death bitches", "Tsara brashears", "Trojan:win32/detplock", "Agent tesla - s0331", "Azorult", "Dnspionage", "Vidar", "Lockbit", "Tulach", "Trickbot - s0266", "Apple malware", "Cve jar", "Agent tesla", "Lolkek", "Twitter malware", "Quasar rat", "Gootloader", "Qakbot", "Networm", "Facebook ht", "Maui ransomware", "Pwndlocker", "Formbook", "Remcos", "Malware", "Zbot", "Crack", "Fusioncore", "Ransomware", "Bit rat", "Tulach malware", "Trojanspy", "Fonepaw", "Swisyn", "Amazon aes", "Raccoon", "Dapato", "Chaos", "Ransomexx", "Apple", "Webtoolbar" ], "industries": [ "Technology" ], "unique_indicators": 105623 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/state.co", "whois": "http://whois.domaintools.com/state.co", "domain": "state.co", "hostname": "securemail.state.co" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "682d481cb7ed0e71682f8309", "name": "Plumix 41:1c:fc:08:65:49:a7:e3:91:67:ab:94:82:bf:2c:0f:af:e4:24:2a 2018-08-08 bis 2292-05-22", "description": "Plumix.com\nSerwer nazw domen\nns2.nazwa.pl , ns1.nazwa.pl", "modified": "2025-06-20T03:02:24.594000", "created": "2025-05-21T03:27:24.351000", "tags": [ "dht penomocnik", "anycast voip", "dht kopalnia", "chmura dht", "amazonaes", "akamai poczona", "chmura chmura", "dnparking dht", "porwany", "dnparking", "amazon02 spam", "4 zapisy", "cname", "mx a" ], "references": [ "Plumix.com", "https://www.virustotal.com/graph/embed/gcbfc9c0da50d4e0b826b5d57" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "SSLCertFingerprint": 1, "hostname": 387, "domain": 338, "FileHash-SHA256": 198, "URL": 958 }, "indicator_count": 1882, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e846796e72bee6be87c110", "name": "C:\\Program Files\\Microsoft Office\\root\\", "description": "C:\\Program Files\\Microsoft Office\\root\\\n\nIocs sampled from the directory: C:\\Program Files\\Microsoft Office\\root\\ (from an infected windows 11 sample PC)\nNot complete, will expand upon it later.\nUnder C:\\Program Files\\Microsoft Office there is...\n4x File Folders, 3x Edge HTML Docs", "modified": "2024-10-16T19:04:17.209000", "created": "2024-09-16T14:53:45.370000", "tags": [ "entity", "please", "javascript", "clientid", "platformwin32", "buildship", "architecturex86", "osbuild7601", "channeldcwin7", "installtypec2r", "sessionid" ], "references": [ "https://www.virustotal.com/graph/embed/g8c4e1b9704cb478f92c4fbb255016abe5beee3a86be54a118c68677c8976dcf7?theme=dark", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/iocs", "https://www.virustotal.com/gui/collection/4ddaf1ccbac15330d25c28dbcc7c4f185279af098f013e0e9986afd18efc7c2d/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 3981, "URL": 685, "domain": 476, "hostname": 748 }, "indicator_count": 6178, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331580cd1571f730b8de2", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.242000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a77022ab8eb59e186099", "name": "scan_host", "description": "", "modified": "2023-12-06T16:55:12.020000", "created": "2023-12-06T16:55:12.020000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://securemail.state.co", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://securemail.state.co", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639011.9132464 }