{ "type": "URL", "indicator": "https://server.downloadnow-1.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://server.downloadnow-1.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3744790080, "indicator": "https://server.downloadnow-1.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 25, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "20 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "20 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916dc43beba2f3839fd7c36", "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com", "description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix", "modified": "2025-12-14T05:04:31.480000", "created": "2025-11-14T07:37:39.794000", "tags": [ "gmt content", "related tags", "found title", "cache control", "x request", "runtime", "vary", "reverse dns", "ashburn", "resource", "verdict", "address", "read c", "unicode", "high", "memcommit", "delete", "dock", "write", "execution", "next associated", "server response", "port", "destination", "crlf line", "malware", "png image", "rgba", "united states", "medium", "encrypt", "america", "msie", "unknown", "present jan", "name servers", "present oct", "present may", "present mar", "present dec", "present nov", "united", "present apr", "present jun", "urls show", "url hostname", "ip address", "google safe", "results jun", "canada unknown", "passive dns", "canada", "meta name", "robots content", "x ua", "ieedge chrome1", "twitter", "chrome", "urls", "files", "asn as13335", "dns resolutions", "trojan", "trojanspy", "win32", "title", "servers", "unknown ns", "domain", "present aug", "present sep", "files domain", "files related", "none google", "safe browsing", "unknown aaaa", "moved", "cloudfront x", "meta", "ip whois", "registrar", "hostname", "files ip", "ipv4 add", "location united", "america flag", "america asn", "present jul", "virtool", "record value", "dnssec", "meta http", "content", "gmt server", "litespeed x", "present feb", "write c", "as62597 nsone", "as16509", "module load", "t1129", "service", "dynamicloader", "windows", "tofsee", "stream", "hostile", "win64", "delete c", "all ipv4", "url analysis", "status", "error", "aaaa", "ireland unknown", "asn as14618", "backdoor", "a domains", "russia", "mtb nov", "ransom", "displayname", "push", "yara rule", "loaderid", "lidfileupd", "localcfg", "rndhex", "rndchar", "checks", "checks system", "filehash", "av detections", "ids detections", "yara detections", "learn", "command", "adversaries", "ck id", "name tactics", "suspicious", "informative", "spawns", "found", "ssl certificate", "flag", "server", "cloudflare", "csc corporate", "domains", "fireeye", "contacted hosts", "mitre att", "pattern match", "ck matrix", "hybrid", "local", "path", "click", "strings", "foundry", "josht.ca", "paid parking", "parking crews" ], "references": [ "Fireye - FEDNS1.FIREEYE.COM", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://p2d.josht.ca/assets/content-delivery/depots/download", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "https://p2d.josht.ca/api/depots/info/?depot=", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "and our limited information, is Daisy a victim or a crisis actor?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7617, "domain": 1127, "hostname": 3591, "email": 9, "FileHash-SHA256": 1160, "FileHash-MD5": 481, "FileHash-SHA1": 404, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 14403, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a971ab44409ecb7018428", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:54.823000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9718ac97804d782cc16b", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:52.614000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6569984495dfed1b14e29217", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "Active iCloud monitoring by third party. Active cyber threat.\nFound in link on iOS device: p155-fmfmobile.icloud.com\nFraud services. No data, service, or legitimate carrier", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-01T08:24:36.293000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c52bf98f256b6a01da6", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-18T00:58:58.944000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aac25a8a2caaddf0d3b88", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-12-02T04:01:41.427000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655652f6ddcbf952a599cded", "export_count": 93, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655686e2c072557f03e9cba2", "name": "https://myaccount.uscis.gov/ [pulse created by Octoseek]", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T21:17:22.087000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655657ca2e402d4f98283de9", "name": "https://myaccount.uscis.gov/ ", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:56:26.312000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65565477da453c46f05a6ac4", "name": "BTW VirusTotal - \" interesting files written to disk during execution'", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:42:15.123000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655652f6ddcbf952a599cded", "name": "https://myaccount.uscis.gov/", "description": "After Mark Montano Md reported alleged acts by Jeffrey Scott Reimer after receiving 'multiple' reports of him aggressively pursuing Brashears, she was contacted, told she violated the Patriot Act by Big O Tires?!! Received letters from the above and harassed for years. Colorado Workers compensation is so corrupt this may be my last post. She was immediately framed , blamed, porn smeared and stalked. Denied medical care , when received died on surgery table, revised and disabled. Even the mafia would tackle only the associates bringing undue negative attention to their own organization.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:35:50.285000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655650c9b2be6cc930c92cf3", "name": "https://myaccount.uscis.gov/", "description": "HOW!?!? My device was remotely logged into this account somehow.\nThis is egregious. Silence Threats. I have no connection to this but was contacted by a while ago. I don't know how or why a part of the government would attack a person with a TBI and C1 - S1 Spinal cord injury allegedly caused by Colorado physical therapist and protect him. Why is victim, tracked and unsafe, receiving death threats, monitored, denied medical care, stalked EVERYWHERE. \nEven felons aren't monitored for life. STOP.\nWill this get us killed. Do the right thing.\nGod bless America, purge the government.\nThe truth should set you fee not get you harmed.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:26:33", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568b00198f82af2e88d463", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-16T21:34:56.016000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6552d6f5f56d2e9cd9e18a30", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6552d6f5f56d2e9cd9e18a30", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:09:57.370000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6552d60aae6e1b3c22455088", "name": "Hive 0065", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:06:02.329000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a127b18f314c64abf0ca", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information", "description": "", "modified": "2023-12-06T16:28:23.639000", "created": "2023-12-06T16:28:23.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11eb966ec5b823d2ae8", "name": "Drive By Malware", "description": "", "modified": "2023-12-06T16:28:14.217000", "created": "2023-12-06T16:28:14.217000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a11966ff39f73aed8c7d", "name": "Fileless Malware", "description": "", "modified": "2023-12-06T16:28:09.128000", "created": "2023-12-06T16:28:09.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0cccd6a8c7cd79f535c", "name": "alt-YouTube.com", "description": "", "modified": "2023-12-06T16:26:52.138000", "created": "2023-12-06T16:26:52.138000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 688, "domain": 348, "hostname": 613, "URL": 663, "email": 2, "FileHash-MD5": 27, "FileHash-SHA1": 26 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64eed9e039cd84d4b7b9aa54", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-30T05:55:44.012000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee70f9eaecf035471ff80c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee70f9eaecf035471ff80c", "name": "Drive By Malware ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:28:09.867000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee7075f37dad88d73c3830", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ee7075f37dad88d73c3830", "name": "Fileless Malware", "description": "An example of 1 dangerous exploit. \nThis happened on Brand New fully updated locked down Apple iPhone, Samsung. If you happen to be looking at your phone, you may witness the following: Google logo on appengine.goohke .com Drive By will have a disclaimer that it is NOT affiliate.\nYou will see:\nhttps://accounts.google.com/AccountChooser?continue\nAll of your Gmail accounts will be displayed your primary account will be checked. The drive by happens at tspeed of 2 -3 seconds. Without clicking, your entire phone is compromised. Every account, locations, maps, YouTube, voice, camera, , keyloggers installed. This is not your fault. You are a target. There are empty hashes. It's fileless malware which does not write to storage. \nPhishing, malware hosting, other IoC s.\nExtremely hazardous, renders phone a zombie. New network and data plan all without your explicit consent.\nWelcome to the BotNetwork.\nhttp://appengine.google.com/\naccounts.google.com\nconsent.google.com/m?---- (Forced Consent on iOS device)", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:25:53.474000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e8be2e44aac98c8d3a7a32", "name": "alt-YouTube.com", "description": "", "modified": "2023-09-24T14:00:05.977000", "created": "2023-08-25T14:43:58.732000", "tags": [ "as15169 google", "united", "search", "showing", "passive dns", "urls", "creation date", "record value", "entries", "found", "date", "error", "record type", "ttl value", "aaaa", "algorithm", "data", "v3 serial", "number", "issuer", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "dns replication", "historical ssl", "certificates", "first", "markmonitor", "google llc", "server", "registrar abuse", "whois lookups", "expiration date", "registrar iana", "admin country", "tech country", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "pattern match", "ascii text", "appdata", "unknown", "class", "critical", "meta", "august", "hybrid", "general", "local", "click", "strings", "windir", "api call", "ck id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 117, "FileHash-SHA1": 116, "domain": 657, "email": 11, "hostname": 613, "URL": 663, "FileHash-SHA256": 778 }, "indicator_count": 2955, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "938 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "p155-fmfmobile.icloud.com", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "Fireye - FEDNS1.FIREEYE.COM", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "Resource: https://urlscan.io/domain/privaterelay.appleid.com", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://p2d.josht.ca/assets/content-delivery/depots/download", "airinthemorning.net", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "\u2193Command and Control \u2193", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it.", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "news-publisher.pictures", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "applestore.net", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "http://notredamewormhoutnet.appleid.com/", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "https://p2d.josht.ca/api/depots/info/?depot=", "and our limited information, is Daisy a victim or a crisis actor?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "http://certs.apple.com/appleistca2g1_bc.cer", "fmfmobile.fe.apple-dns.net", "developer.huawei.com", "CNC Hostname: urlspirit.spiritsoft.cn", "https://dc-mx.d3525d602ca2.pixelrz.com", "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Systweak", "Lumma", "Virus:dos/nanjing", "Networm", "Nircmd", "Kraddare", "Noname057", "Redline", "Suppobox", "Trojanspy", "Zbot", "Tinba", "Milesmx", "Swrort", "Trojan.agensla/msil", "Emotet", "Tiggre", "Spyeye", "Wacatac.", "Union", "Softcnapp", "Zeus", "Blacknet", "Citadel", "Inmortal", "Fusioncore", "Xrat", "Webtoolbar", "Win:zgrat", "Bambernek", "Domains" ], "industries": [], "unique_indicators": 106565 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/downloadnow-1.com", "whois": "http://whois.domaintools.com/downloadnow-1.com", "domain": "downloadnow-1.com", "hostname": "server.downloadnow-1.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 25, "pulses": [ { "id": "69e4e7cfdc3bb3cdffeecf7c", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:51.385000", "created": "2026-04-19T14:33:51.385000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "20 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e4e7c6ddf646eb4e645bd5", "name": "[[[[RVA Entry | Apple remote unlocking| Emotet | Redline]]] [clone by scoreblue]", "description": "", "modified": "2026-04-19T14:33:42.400000", "created": "2026-04-19T14:33:42.400000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "656a971ab44409ecb7018428", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "20 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916dc43beba2f3839fd7c36", "name": "Ransomware | FIREEYE.COM redirects to www.TRELLIX.com", "description": "FireEye appears to have been a Cybersecurity that now redirects to www.trellix.com. Seen before in a malicious MO.gov w/names of 2 \u2018alleged\u2019 female SA victims. I researched was without realizing it was a CySec.We have researched Trellix , found it to be malicious ; reported false information / documentation. FEDNS1.FIREEYE.COM URL is still found in several searches. So we researched it.\nRe: Safebae the other Mo. Gov SA URL found a\u2019. \u2018non profit\u2019 for Catherine \u2018Daisy\u2019 Coleman that isn\u2019t in any way related to her. It makes me believe it\u2019s could be related to Bae systems a collaboration with Peter Thiel's company Palantir, which provides data analytics software to governments and militaries. Significance: This partnership showcases the convergence of American tech innovation and traditional defense contracting, involving companies like Palantir and BAE Systems. \n\n#foundry #josht _ca #hostile #advesarial #contacted_hosts #safebae_or_bae_systems? #honeypotbot # fireeye #trellix", "modified": "2025-12-14T05:04:31.480000", "created": "2025-11-14T07:37:39.794000", "tags": [ "gmt content", "related tags", "found title", "cache control", "x request", "runtime", "vary", "reverse dns", "ashburn", "resource", "verdict", "address", "read c", "unicode", "high", "memcommit", "delete", "dock", "write", "execution", "next associated", "server response", "port", "destination", "crlf line", "malware", "png image", "rgba", "united states", "medium", "encrypt", "america", "msie", "unknown", "present jan", "name servers", "present oct", "present may", "present mar", "present dec", "present nov", "united", "present apr", "present jun", "urls show", "url hostname", "ip address", "google safe", "results jun", "canada unknown", "passive dns", "canada", "meta name", "robots content", "x ua", "ieedge chrome1", "twitter", "chrome", "urls", "files", "asn as13335", "dns resolutions", "trojan", "trojanspy", "win32", "title", "servers", "unknown ns", "domain", "present aug", "present sep", "files domain", "files related", "none google", "safe browsing", "unknown aaaa", "moved", "cloudfront x", "meta", "ip whois", "registrar", "hostname", "files ip", "ipv4 add", "location united", "america flag", "america asn", "present jul", "virtool", "record value", "dnssec", "meta http", "content", "gmt server", "litespeed x", "present feb", "write c", "as62597 nsone", "as16509", "module load", "t1129", "service", "dynamicloader", "windows", "tofsee", "stream", "hostile", "win64", "delete c", "all ipv4", "url analysis", "status", "error", "aaaa", "ireland unknown", "asn as14618", "backdoor", "a domains", "russia", "mtb nov", "ransom", "displayname", "push", "yara rule", "loaderid", "lidfileupd", "localcfg", "rndhex", "rndchar", "checks", "checks system", "filehash", "av detections", "ids detections", "yara detections", "learn", "command", "adversaries", "ck id", "name tactics", "suspicious", "informative", "spawns", "found", "ssl certificate", "flag", "server", "cloudflare", "csc corporate", "domains", "fireeye", "contacted hosts", "mitre att", "pattern match", "ck matrix", "hybrid", "local", "path", "click", "strings", "foundry", "josht.ca", "paid parking", "parking crews" ], "references": [ "Fireye - FEDNS1.FIREEYE.COM", "http://3marketeers.org/sstcp/ss_ct/ct/Foundry-US-Palo-Alto-Networks-Q423-The-Complete-Cloud-Security-LP.html?_v_c=MzI5MDQ0OQ==sosODczNzY1sosNTM1NTU5Mjc=&ide=YXZhLmNoYXdsYUBhbGdvc2VjLmNvbQ==&lbu=eQ==", "http://allitlive.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1OA==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://tecwebnow.com/sstcp/ss_ct/ct/Foundry-Q124-DE-eBook-The-data-store-for-AI-Landing-page.html?_v_c=MzM3OTU1Nw==sosNjQ0MA==sosNjI5NDA4MDQ=&ide=cmFkb3NsYXcubWFqY3pha0BseW9uZGVsbGJhc2VsbC5jb20=&lbu=eQ==", "https://visionayr-live.com/sstcp/ss_at/at/Foundry-Q423-The-Quantified-Benefits-of-Fortinet-Security-Operations-Solutions-lp.html?_v_c=MzE3MDM0Mg==sosMzczODcwsosNDkzNDA4ODI=&lb_email=carine.malessard@idorsia.com&campaign_id=254013&program_id=36356", "http://p2d.josht.ca/assets/content-delivery/depots/download", "test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 p2d.josht.ca pma.josht.ca \u2022 sa.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio \u2022 http://josht.ca/portfolio/ \u2022 http://p2d.josht.ca/ \u2022 http://pma.josht.ca/ \u2022 http://sa.josht.ca", "http://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 http://staging.josht.\u2022 https://dev.josht.ca/", "https://p2d.josht.ca/assets/content-delivery/depots/download/ \u2022 https://test.josht.ca/ \u2022", "https://josht.ca/portfolio/style.css \u2022https://sa.josht.ca \u2022 https://staging.josht.ca/", "https://josht.ca/favicon.ico \u2022 https://josht.ca/portfolio/ \u2022 https://josht.ca/portfolio/background.jpg", "https://p2d.josht.ca/api/depots/info/?depot=", "https://p2d.josht.ca/assets/content \u2022 http://joshwilsonmusic.umg-wp.com/", "Audrie & Daisy documentary unknown to any Sexual Assault advocacies across USA. We really researched.", "According to newspaper accounts and Daisy Coleman committed suicide in Lakewood , Co in 2021", "Next her mom commits suicide, brother died in a one car accident, Fatver died in an accident. Entire family dead?", "Daisy was allegedly brutally assaulted by Matthew Barnett,", "Matthew grandfather , a powerful local politician & former republican Missouri state representative, Rex Barnett.", "Is that where they\u2019re getting these names? Rexxfield.com. SMH", "There is evidence that Miss Coleman lived and died in Colorado after reporting being stalked.", "According to accounts she was afraid for her life , found to be safe then took her own life?", "Typing a suicide note on social media is suspicious since it could come from your murderer.", "So both Tsara Brashears & Daisy Coleman have identical stories? No one would help her?", "Since I don\u2019t know Daisy and have zero records except from accounts by someone in a botnet\u2026.", "and our limited information, is Daisy a victim or a crisis actor?", "Dad drives off road. Daisy raped, bullied, brother driven off road if you ask me", "Daisy dies in the same night she doesn\u2019t want to, Mom decided to join her? No. Murder or HoneyPot tales.", "Mo.Gov associated https://otx.alienvault.com/pulse/6916d97edb28b2616ffac3ab (cloned from OctoSeek)", "Sometimes pulses are attacked by a delete service. Sometimes people asked to have IoC\u2019s removed.", "FireEye was there in 2 year old pulse now removed? I\u2019ll find it." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7617, "domain": 1127, "hostname": 3591, "email": 9, "FileHash-SHA256": 1160, "FileHash-MD5": 481, "FileHash-SHA1": 404, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 14403, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a971ab44409ecb7018428", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:54.823000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9718ac97804d782cc16b", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-02T02:31:52.614000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": "6569984495dfed1b14e29217", "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6569984495dfed1b14e29217", "name": "RVA Entry | Apple remote unlocking| Emotet | Redline | | Injection", "description": "Active iCloud monitoring by third party. Active cyber threat.\nFound in link on iOS device: p155-fmfmobile.icloud.com\nFraud services. No data, service, or legitimate carrier", "modified": "2023-12-30T14:02:30.516000", "created": "2023-12-01T08:24:36.293000", "tags": [ "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "communicating", "siblings", "file", "hell", "lenovo tablet", "name servers", "as714 apple", "united", "creation date", "search", "servers", "date", "moved", "certificate", "passive dns", "body", "historical", "collections", "contacted", "strange", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "blacklist http", "cisco umbrella", "site", "safe site", "alexa top", "malicious site", "malware site", "phishing site", "million", "malware", "http attacker", "ip address", "algorithm", "v3 serial", "number", "ist ca", "g1 validity", "public key", "info", "key algorithm", "ec oid", "key identifier", "first", "team alexa", "downloader", "wed apr", "alexa", "pony", "name verdict", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "mitre att", "null", "unknown", "span", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "refresh", "tools", "malicious url", "hostname", "hostnames", "phishing", "union", "team", "bank", "unsafe", "spammer", "node tcp", "traffic", "attacker", "tor known", "tor relayrouter", "jul jan", "mon sep", "heur", "artemis", "iframe", "conduit", "crack", "riskware", "opencandy", "cleaner", "exploit", "downldr", "presenoker", "wacatac", "agent", "fusioncore", "applicunwnt", "acint", "nircmd", "swrort", "systweak", "behav", "tiggre", "genkryptik", "filetour", "generic", "patcher", "driverpack", "xtrat", "softcnapp", "cyber threat", "dns server", "http spammer", "host", "download", "asyncrat", "cobalt strike", "apple", "urls http", "368600", "320700", "dc1542721039132", "subdomains", "noname057", "tld count", "urls", "blacklist https", "engineering", "singapore", "phishtank", "suppobox", "bambernek", "facebook", "zbot", "malicious", "zeus", "emotet", "ransomware", "nymaim", "redline stealer", "service", "virut", "kraken", "keybase", "stealer", "hawkeye", "tinba", "mirai", "nanocore", "bradesco", "cve201711882", "ip detections", "country", "83500", "1602192580242", "1602192586217", "blog", "1602192588844", "1602192624796", "303300", "vhash", "authentihash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "trid windows", "control panel", "file version", "copyright", "product", "description", "original name", "internal name", "rticon neutral", "chi2", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "count blacklist", "tag tag", "dot net", "assembly common", "clr version", "assembly name", "address", "assembly", "rva entry", "streams size", "entropy chi2", "guid", "applenoc", "showing", "record value", "scan endpoints", "all search", "as20940", "as16625 akamai", "status", "cname", "china", "as136907 huawei", "nanjing", "as2914 ntt", "america", "as7843 charter", "as6461 zayo", "domain", "p155-fmfmobile.icloud.com", "t-mobile", "metro t-mobile", "metro", "metroby", "social engineering", "happywifehappylife", "bot", "darknet service", "tsara brashears", "jeffrey reimer", "pixelrz", "yandex", "cp", "cyber", "red team", "framing", "qwest", "cybercrime", "cyber threat", "sha256", "runtime process", "sha1", "size", "windows nt", "indicator", "svg scalable", "accept", "unis", "buttons", "overwrite", "format", "spyware", "heodo", "fri nov", "installcore", "installpack", "win64", "fakealert", "dropper", "fakeinstaller", "spyrixkeylogger", "bitminer", "loadmoney", "dapato", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "predator", "kraddare", "iobit", "dllinject", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "unruy", "floxif", "adload", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "privacy admin", "privacy tech", "com laude", "redacted for", "server", "priority", "email", "organization", "city", "cnapple public", "server rsa", "stcalifornia", "cnapple ist", "identity search", "group", "issuer criteria", "type", "ilike search", "id logged", "valid", "no no", "no na", "ip security", "apple", "limited", "ca id", "lsalford", "ocomodo ca", "code signing", "mozilla", "android", "memory checks", "dotnet_encrypted", "multi family rat detection", "malware_win_zgrat" ], "references": [ "Resource: https://www.hybrid-analysis.com/sample/a1f40ad80f0a9e0dab543bcbbc70b4b7a941fbf8cd781ff52cd902bd7fe68cf7", "p155-fmfmobile.icloud.com", "\u2193Everything listed below found in link 'p155-fmfmobile.icloud.com' monitoring targeted apple device\u2193", "developer.huawei.com", "PostBot.exe [0092864768862a870598a5f2e3f0052aaf3745cb57e71d3a4df5ac3a053059928591]", "http://www.cscglobal.com/global/web/csc/digital-brand-services.html", "Resource: https://www.hybrid-analysis.com/sample/0163a8787d958fed0d776ff72770cb40a146db528953b9da20a9f8d448171272/63169b4320a3f45a09183e45", "fmfmobile.fe.apple-dns.net", "http://news_at_info_iscanner_com_v72qynxzp9_3d157e86@privaterelay.appleid.com/", "http://notredamewormhoutnet.appleid.com/", "news-publisher.pictures", "applestore.net", "airinthemorning.net", "http://certs.apple.com/appleistca2g1_bc.cer", "http://pixelrz.com/list] (Yandex and Baidu spider, illegal content scraper)", "https://dc-mx.d3525d602ca2.pixelrz.com", "http://www.mobilevpn.download/files/ntn/nt1x.html?&model=iPhone&browser=Mobile%20Safari&city=Baltimore&brand=Apple&isp=The%20Johns%20Hopkins%20Medical%20Institutions&ip=162.129.252.228&td=xentracking.com&uclick=j246fny90&uclickhash=j246fny90-j246fny90-he7v-0-sca0-7vj20-7voc6o-cad73c", "http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/Accept-Language:", "http://pixelrz.com/lists/keywords/tsara-brashears-dead (unconfirmed death)", "http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/ (unconfirmed crime)", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ (confirmed transactional agreement)", "http://pixelrz.com/lists/suggestions/rs485-arduino/", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception/ ( badgering. libel)", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer (open records act: confirmed assault report with injuries. Unconfirmed police investigation)", "http://hidden-camera-public-nudity.tubesporno.com (Found in link 'p155-fmfmobile.icloud.com' on Apple device)", "http://info_at_twitter_com_rrrdxjyct7_5e128c93@privaterelay.appleid.com", "Resource: https://www.hybrid-analysis.com/sample/eb4b220c2393f8c04d5ec911a958c479a5dd920c6e9a323fed596e5c8483d9eb/65689de21b67ec5fc7086f84", "Resource: https://crt.sh/?q=privaterelay.appleid.com", "\u2193Command and Control \u2193", "CNC IPv4: 107.6.74.76 \u2022 110.42.64.224 \u2022 147.75.61.38 \u2022 147.75.63.87 \u2022 150.95.255.38 \u2022 162.255.119.250 \u2022 173.231.184.124 \u2022 173.231.189.15 \u2022 39.103.219.62 \u2022 52.241.88.36", "CNC Hostname: urlspirit.spiritsoft.cn", "Malware IPv4: 17.167.144.79\u2022 \u2022 17.167.144.79 \u2022 17.167.146.83 \u2022 17.248.131.138 \u2022 17.248.139.74 \u2022 17.248.145.169 \u2022 17.248.241.114 \u2022 52.85.90.62 12/29/23 \u2022 104.27.146.207 \u2022 3.209.222.16", "Malware: Hostname browser.events.data.msn.com \u2022 Domain icloud.com.cn \u2022 Domain dropbox.com \u2022 Hostname privaterelay.appleid.com", "Resource: https://urlscan.io/domain/privaterelay.appleid.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Systweak", "display_name": "Systweak", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null }, { "id": "Tinba", "display_name": "Tinba", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Tiggre", "display_name": "Tiggre", "target": null }, { "id": "FusionCore", "display_name": "FusionCore", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "nircmd", "display_name": "nircmd", "target": null }, { "id": "noname057", "display_name": "noname057", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Softcnapp", "display_name": "Softcnapp", "target": null }, { "id": "Union", "display_name": "Union", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "Kraddare", "display_name": "Kraddare", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "trojan.agensla/msil", "display_name": "trojan.agensla/msil", "target": null }, { "id": "Win:ZGRAT", "display_name": "Win:ZGRAT", "target": null }, { "id": "Wacatac.", "display_name": "Wacatac.", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1220, "FileHash-SHA1": 613, "FileHash-SHA256": 5010, "URL": 13617, "hostname": 3699, "domain": 2783, "email": 11, "CVE": 23, "CIDR": 2 }, "indicator_count": 26978, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "841 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c52bf98f256b6a01da6", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-18T00:58:58.944000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aac25a8a2caaddf0d3b88", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-12-02T04:01:41.427000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655652f6ddcbf952a599cded", "export_count": 93, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655686e2c072557f03e9cba2", "name": "https://myaccount.uscis.gov/ [pulse created by Octoseek]", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T21:17:22.087000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://server.downloadnow-1.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://server.downloadnow-1.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776682047.534188 }