{ "type": "URL", "indicator": "https://server.woool123.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://server.woool123.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3388580714, "indicator": "https://server.woool123.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "694d7d426afd8c1c816ddb9e", "name": "Apple \u2022 IRS | ELF:DDoS |\tUnix.Trojan.Gafgyt redirects and blocks US taxpayers from making payments to IRS", "description": "This truly requires further research. This is a serious issue. There is are US adversaries blocking fiscally financial taxpayers from paying genie income taxes, threatening a levy, and other financially damaging consequences. It\u2019s clear to me the website is fraudulent. One target is an Apple user and an accountant. \n\n\nThere have been millions on financial crimes against this victim who I am now labeling a \u2018target\u2019. There are 4 other females\u2019 going through same thing. Losing assets, unable to reconcile taxes despite", "modified": "2026-01-24T17:05:40.719000", "created": "2025-12-25T18:06:58.222000", "tags": [ "united", "et trojan", "hello ssl", "whitelisted", "unknown", "ciphersuite", "sessionid", "asnone", "united kingdom", "show", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "aaaa", "present sep", "gmt secure", "passive dns", "urls", "gmt cache", "service", "title", "brazil as16625", "akamai", "top source", "tcp include", "top destination", "source source", "destination", "port", "gtmkv978zl", "utc gzy6fm95cs5", "utc na", "utc google", "analytics na", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "access att", "bad traffic", "et info", "tls handshake", "failure", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "poland unknown", "ip address", "search", "present oct", "a domains", "body head", "document moved", "unique", "maxage86400", "httponly", "google safe", "browsing", "whois", "virustotal api", "screenshots", "comments", "pragma", "data upload", "extraction", "type", "extr", "delete c", "writeconsolew", "windows", "t1045", "read c", "susp", "dock", "win64", "alerts", "icmp traffic", "pdb path", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "lumen", "lumen ip", "public bgp", "address range", "cidr", "network name", "allocation type", "whois server", "entity lpl141", "handle", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "status", "showing", "domain", "trojan", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "files", "location united", "america flag", "america asn", "nethandle", "net4", "net40000", "lpl141", "llc orgid", "city", "la postalcode", "dynamicloader", "write c", "medium", "named pipe", "yara rule", "high", "ms windows", "encrypt", "pegasus", "markus", "smartassembly", "next", "msie", "t1063", "windows nt", "fastly", "foundry", "palantir", "bgp", "webkit bugzilla", "record value", "content type", "bugzilla", "meta", "present nov", "entries", "atom", "apple", "chrome", "moved", "apple center", "gmt content", "name servers", "servers", "expiration date", "pulse submit", "url analysis", "date", "apple server", "apple dns", "asp.bet", "data collection", "bgp ip", "lumen control", "lumen admin", "level 3", "ipv4", "reverse dns", "found", "hostname add", "present jul", "present jun", "belize", "unknown ns", "present aug", "domain add", "creation date", "failed", "enter sc", "extra data", "include", "review exclude", "america united", "dns resolutions", "linuxgafgyt feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada" ], "malware_families": [ { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win3", "display_name": "ALF:JASYP:Trojan:Win3", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "display_name": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Government", "Finance", "Telecommunications", "Technology", "Civil Society", "IRS" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4187, "hostname": 1574, "FileHash-SHA256": 2387, "FileHash-MD5": 189, "FileHash-SHA1": 161, "domain": 800, "CVE": 1, "email": 13, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 9317, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f0f210ec1de4316b22522", "name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled", "description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att", "modified": "2025-08-21T03:02:43.704000", "created": "2025-07-22T04:10:09.158000", "tags": [ "date", "submit url", "analysis", "passive dns", "urls", "files", "ip address", "asn as13335", "whois registrar", "creation date", "extraction", "data", "extri", "include review", "iocs", "data upload", "united", "unknown aaaa", "search", "showing", "moved", "a domains", "record value", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6560, "FileHash-MD5": 121, "FileHash-SHA1": 125, "FileHash-SHA256": 3989, "domain": 1616, "hostname": 1876, "email": 3, "CVE": 2 }, "indicator_count": 14292, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670224ac3c8cce621843a477", "name": "Man in Browser Multi-systems attack | Ransom", "description": "System wide issues. Internal and external attack affecting medical and educational institution \u2022 Man in Browser \u2022 Mail spammer. Many other priority vulnerabilities.\nShort List of Malware Families\nAtros3.AHFB\nETPRO\nNOD32\nSAPE.Heur.9B552\nSpammer:MSIL/Misnt.A\nSymantec\nTrojan:Win32/Zonsterarch\nWin.Ransomware.Sodinokibi-7013612-0\nIDS Detections\nW32/Emotet.v4 Checkin", "modified": "2024-11-05T05:02:29.649000", "created": "2024-10-06T05:48:28.806000", "tags": [ "as32934", "passive dns", "urls", "address", "search", "unknown", "aaaa", "as13414 twitter", "as19679 dropbox", "germany unknown", "france unknown", "hong kong", "asnone hong", "kong unknown", "kong", "all scoreblue", "ipv4", "files", "http", "ip address", "related nids", "files location", "flag united", "hostname", "a domains", "meta", "moved", "body", "as13768 aptum", "canada", "asnone united", "whitelisted", "url analysis", "location united", "cookie", "united states", "record type", "ttl value", "key identifier", "full name", "data", "v3 serial", "number", "cus odigicert", "cndigicert sha2", "high assurance", "server ca", "validity", "united", "as2914 ntt", "yuming", "name servers", "date", "next", "as32780 hosting", "welcome", "pulse pulses", "accept", "domainmaster", "creation date", "expiration date", "as35280 acorus", "as396982 google", "status", "cname", "united kingdom", "trojan", "service", "ransom", "pulse submit", "asn as35280", "error", "japan unknown", "post https", "post method", "medium", "high", "registry", "creates", "alerts", "contacted", "tools", "win32", "malware", "copy", "persistence", "execution", "powershell e", "script urls", "httponly set", "general", "read c", "show", "entries", "etpro trojan", "intel", "ms windows", "file", "virustotal", "write", "baidu", "vipre", "panda", "download", "main", "look", "install", "push", "sape.heur.9b552", "nod32", "symantec", "etpro", "dynamicloader", "yara rule", "stack pivoting", "cape", "maninbrowser", "mitb", "t1055", "server", "registrar abuse", "contact phone", "registrar url", "registrar", "whois lookup", "dnssec", "domain name", "attempts", "performs", "packing t1045", "browse scan", "august", "as174 cogent", "canada unknown", "overview ip", "files domain", "files related", "pulses none", "related tags", "gmt content", "type", "content length", "svr id", "encrypt", "trojandropper", "virtool", "msie", "chrome", "as45012 dogado", "tr tr", "die domain", "td tr", "gmt server", "scan endpoints", "scoreblue ipv4", "ripe route", "ip location", "asn as45012", "cloudpit dogado", "gmbh", "whois server", "reverse ip", "abuse contact", "de adminc", "ssh attacker", "mysql", "tor relays", "sabey type", "showing", "pulses", "indicator facts", "hichina zhicheng technology ltd.,", "domain", "as4837 china", "china unknown", "default", "tlsv1", "germany as34788", "post", "windows nt", "dotted quad", "fake browser", "artemis", "emotet", "as9808 china", "as56047 china", "as56040 china", "as58541 qingdao", "et trojan", "sinkhole cookie", "macoute", "sha256", "yara detections", "worm", "explorer", "possible", "april", "uchealth", "ogoogle inc", "lsalford", "ocomodo ca", "limited", "secure server", "c2087940" ], "references": [ "\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com", "prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download", "Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d", "YARA Detections: WinRAR_SFX", "High Priority Alerts: antisandbox_unhook antivirus_virustotal", "utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu", "dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu", "mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu", "extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com", "trojan.msil.spammer.ai = spammer.ai", "interact.f5.com", "https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com", "http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html", "https://bd-server.com/user/JasminMcVey2/", "http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/", "(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve", "(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US", "High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f", "Suspicious of NSO Pegasus type spyware campaign (possibly)" ], "public": 1, "adversary": "", "targeted_countries": [ "Singapore", "Malaysia", "United States of America", "Argentina", "France", "Sweden", "Ireland", "Romania", "Taiwan", "Germany", "Netherlands", "Brazil", "Colombia", "Indonesia", "Hong Kong", "Poland", "Slovakia", "Lithuania", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Slovenia", "Greece", "Italy", "Aruba", "China", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Zonsterarch", "display_name": "Trojan:Win32/Zonsterarch", "target": "/malware/Trojan:Win32/Zonsterarch" }, { "id": "Win.Ransomware.Sodinokibi-7013612-0", "display_name": "Win.Ransomware.Sodinokibi-7013612-0", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Spammer:MSIL/Misnt.A", "display_name": "Spammer:MSIL/Misnt.A", "target": "/malware/Spammer:MSIL/Misnt.A" }, { "id": "SAPE.Heur.9B552", "display_name": "SAPE.Heur.9B552", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "Symantec", "display_name": "Symantec", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "C2087940", "display_name": "C2087940", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [ "Healthcare", "Civilian Society", "Technology", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1287, "hostname": 2995, "URL": 3606, "email": 22, "FileHash-MD5": 173, "FileHash-SHA256": 1059, "FileHash-SHA1": 163, "CIDR": 1, "SSLCertFingerprint": 43 }, "indicator_count": 9349, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4898fa85cad0af83e032d", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ", "description": "", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-15T01:25:35.060000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "659864448507cc1752ff6456", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659864448507cc1752ff6456", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:16.886000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659864357d1d3185efc5c112", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:01.457000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a581b1024ea61979da96", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "", "modified": "2023-12-06T16:46:57.782000", "created": "2023-12-06T16:46:57.782000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 5791, "hostname": 3255, "domain": 2317, "FileHash-MD5": 44, "FileHash-SHA1": 34, "URL": 11513 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657092eb7c26b2cfaf15afb2", "name": "Twitter Cards", "description": "", "modified": "2023-12-06T15:27:39.330000", "created": "2023-12-06T15:27:39.330000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 672, "domain": 647, "hostname": 803, "URL": 2896, "CVE": 1 }, "indicator_count": 5019, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708c4f41727d49d783b766", "name": "RU KR .fill your boots -jaon file from vt graph 194.105.148.87", "description": "", "modified": "2023-12-06T14:59:27.563000", "created": "2023-12-06T14:59:27.563000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 858, "hostname": 589, "URL": 2061, "domain": 301 }, "indicator_count": 3809, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657081856fc8dcb570f6aae6", "name": "tseries.com", "description": "", "modified": "2023-12-06T14:13:25.510000", "created": "2023-12-06T14:13:25.510000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2213, "hostname": 1034, "domain": 446, "URL": 3255, "FileHash-MD5": 1, "email": 1 }, "indicator_count": 6950, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fb98073ae7c257ccd92", "name": "Truthsocial.com", "description": "", "modified": "2023-12-06T14:05:45.403000", "created": "2023-12-06T14:05:45.403000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1804, "FileHash-SHA256": 1282, "hostname": 598, "domain": 372, "SSLCertFingerprint": 2, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 4062, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707faeb891d6de64d8e793", "name": "nytimes - cooking", "description": "", "modified": "2023-12-06T14:05:34.796000", "created": "2023-12-06T14:05:34.796000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 795, "hostname": 446, "domain": 231, "URL": 1324 }, "indicator_count": 2796, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "650a0b7c9a6b3c5d0a2a3960", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "Link: apple.instagram.com \nQuasar is a lightweight, publicly available open-source Remote Access Trojan (RAT). Used by a variety of attackers. Typically packed to make analysis of the source demanding.\nAccount appears to have been breached, operational in dark web. Dead host.", "modified": "2023-10-19T14:04:37.381000", "created": "2023-09-19T20:58:36.137000", "tags": [ "contacted", "threat roundup", "execution", "ssl certificate", "dark web", "crypto threat", "resolutions", "referrer", "stealer", "quasar", "asyncrat", "error", "social engineering", "iPhone phishing", "Apple phishing", "email phishing", "emotet", "remote", "attacks" ], "references": [ "Alienvault OTX", "Data Analysis", "Online Research", "WebTools" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "India" ], "malware_families": [ { "id": "Backdoor:MSIL/AsyncRAT", "display_name": "Backdoor:MSIL/AsyncRAT", "target": "/malware/Backdoor:MSIL/AsyncRAT" }, { "id": "Backdoor:MSIL/QuasarRat", "display_name": "Backdoor:MSIL/QuasarRat", "target": "/malware/Backdoor:MSIL/QuasarRat" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" } ], "industries": [ "Media", "Social Media", "Technology", "Hacking" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 34, "FileHash-SHA256": 5791, "URL": 11513, "domain": 2317, "hostname": 3255, "CVE": 3 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "913 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6341a53e0b5b54bf9de2b1a9", "name": "Twitter Cards", "description": "", "modified": "2022-11-07T16:01:58.911000", "created": "2022-10-08T16:28:46.313000", "tags": [ "whois record", "ssl certificate", "whois whois", "pe resource", "historical ssl", "siblings domain", "referrer", "parent domain", "resolutions", "contacted urls", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2896, "hostname": 803, "domain": 647, "FileHash-SHA256": 672, "CVE": 1 }, "indicator_count": 5019, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1259 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6261635800a6b5abe58e2512", "name": "RU KR .fill your boots -jaon file from vt graph 194.105.148.87", "description": "", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T13:59:52.458000", "tags": [ "RU", "KR" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 589, "URL": 2061, "FileHash-SHA256": 858, "domain": 301 }, "indicator_count": 3809, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622cd115776f6dc57930ca58", "name": "tseries.com", "description": "", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T16:57:57.187000", "tags": [ "ssl certificate", "whois", "whois record", "wired" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1034, "URL": 3255, "domain": 446, "FileHash-SHA256": 2213, "FileHash-MD5": 1, "email": 1 }, "indicator_count": 6950, "is_author": false, "is_subscribing": null, "subscriber_count": 410, "modified_text": "1469 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621e3e993f08849d931cfcee", "name": "nytimes - cooking", "description": "", "modified": "2022-03-31T00:02:44.795000", "created": "2022-03-01T15:41:13.781000", "tags": [ "ssl certificate", "whois", "whois record" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 446, "URL": 1324, "domain": 231, "FileHash-SHA256": 795 }, "indicator_count": 2796, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1480 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621e711be241bbaacb36d1a7", "name": "Truthsocial.com", "description": "", "modified": "2022-03-31T00:02:44.795000", "created": "2022-03-01T19:16:43.455000", "tags": [ "log id", "gmtn", "tls web", "encrypt", "ca issuers", "aa71", "moved", "hostname ip", "country type", "entries server", "code", "false", "body", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1804, "hostname": 598, "domain": 372, "FileHash-SHA256": 1282, "FileHash-MD5": 2, "SSLCertFingerprint": 2, "FileHash-SHA1": 2 }, "indicator_count": 4062, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1480 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu", "WebTools", "sweetheartvideo.com", "Certificate Subject CN=brazzerspesonals.com", "prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download", "utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu", "Data Analysis", "104.247.75.218 | [cnc ]", "extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com", "www.governmentattic.org [privilege: malicious malware downloading]", "Alienvault OTX", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List", "Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d", "(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/", "http://r3.o.lencr.org", "Online Research", "dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html", "Suspicious of NSO Pegasus type spyware campaign (possibly)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "interact.f5.com", "High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f", "https://bd-server.com/user/JasminMcVey2/", "(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US", "CVE-2017-0147", "https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "www.dead-speak.com", "\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "YARA Detections: WinRAR_SFX", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "trojan.msil.spammer.ai = spammer.ai", "114.114.114.114 - Tulach Malware", "https://www.adultforce.com/ [malvertizing Tsara Brashears]", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "Targeting", "High Priority Alerts: antisandbox_unhook antivirus_virustotal" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Symantec", "Lumen ip", "Alf:jasyp:trojan:win32/ircbot!atmn", "Win.ransomware.sodinokibi-7013612-0", "Unknown malware \u2018can't access file\u2019", "Tulach", "Spammer:msil/misnt.a", "Win.trojan.fenomengame-8", "Et", "Hallgrand", "Hacktool", "Nod32", "Cve-2017-0147", "Mirai", "Atros3.ahfb", "Backdoor:msil/asyncrat", "Worm:win32/macoute.a", "Trojandropper:win32/muldrop", "Alf:jasyp:trojan:win3", "C2087940", "Brashears", "Spaceship", "Sape.heur.9b552", "Qbot", "Win.malware.msilperseus-6989564-0", "Sabey", "Pandex!gen1", "Appleservice", "Backdoor:msil/quasarrat", "Elf:ddos-s\\ [trj]\t\tunix.trojan.gafgyt-6981154-0", "Mirai sim swap", "Etpro", "Trojan:win32/zonsterarch", "Virus:dos/paris", "Emotet", "Hallrender" ], "industries": [ "Media", "Irs", "Technology", "Hacking", "Social media", "Healthcare", "Telecommunications", "Government", "Civil society", "Finance", "Education", "Civilian society" ], "unique_indicators": 143027 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/woool123.com", "whois": "http://whois.domaintools.com/woool123.com", "domain": "woool123.com", "hostname": "server.woool123.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "694d7d426afd8c1c816ddb9e", "name": "Apple \u2022 IRS | ELF:DDoS |\tUnix.Trojan.Gafgyt redirects and blocks US taxpayers from making payments to IRS", "description": "This truly requires further research. This is a serious issue. There is are US adversaries blocking fiscally financial taxpayers from paying genie income taxes, threatening a levy, and other financially damaging consequences. It\u2019s clear to me the website is fraudulent. One target is an Apple user and an accountant. \n\n\nThere have been millions on financial crimes against this victim who I am now labeling a \u2018target\u2019. There are 4 other females\u2019 going through same thing. Losing assets, unable to reconcile taxes despite", "modified": "2026-01-24T17:05:40.719000", "created": "2025-12-25T18:06:58.222000", "tags": [ "united", "et trojan", "hello ssl", "whitelisted", "unknown", "ciphersuite", "sessionid", "asnone", "united kingdom", "show", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "aaaa", "present sep", "gmt secure", "passive dns", "urls", "gmt cache", "service", "title", "brazil as16625", "akamai", "top source", "tcp include", "top destination", "source source", "destination", "port", "gtmkv978zl", "utc gzy6fm95cs5", "utc na", "utc google", "analytics na", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "access att", "bad traffic", "et info", "tls handshake", "failure", "windir", "openurl c", "prefetch2", "dns requests", "domain address", "poland unknown", "ip address", "search", "present oct", "a domains", "body head", "document moved", "unique", "maxage86400", "httponly", "google safe", "browsing", "whois", "virustotal api", "screenshots", "comments", "pragma", "data upload", "extraction", "type", "extr", "delete c", "writeconsolew", "windows", "t1045", "read c", "susp", "dock", "win64", "alerts", "icmp traffic", "pdb path", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "lumen", "lumen ip", "public bgp", "address range", "cidr", "network name", "allocation type", "whois server", "entity lpl141", "handle", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "status", "showing", "domain", "trojan", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "files", "location united", "america flag", "america asn", "nethandle", "net4", "net40000", "lpl141", "llc orgid", "city", "la postalcode", "dynamicloader", "write c", "medium", "named pipe", "yara rule", "high", "ms windows", "encrypt", "pegasus", "markus", "smartassembly", "next", "msie", "t1063", "windows nt", "fastly", "foundry", "palantir", "bgp", "webkit bugzilla", "record value", "content type", "bugzilla", "meta", "present nov", "entries", "atom", "apple", "chrome", "moved", "apple center", "gmt content", "name servers", "servers", "expiration date", "pulse submit", "url analysis", "date", "apple server", "apple dns", "asp.bet", "data collection", "bgp ip", "lumen control", "lumen admin", "level 3", "ipv4", "reverse dns", "found", "hostname add", "present jul", "present jun", "belize", "unknown ns", "present aug", "domain add", "creation date", "failed", "enter sc", "extra data", "include", "review exclude", "america united", "dns resolutions", "linuxgafgyt feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada" ], "malware_families": [ { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Lumen IP", "display_name": "Lumen IP", "target": null }, { "id": "Win.Malware.Msilperseus-6989564-0", "display_name": "Win.Malware.Msilperseus-6989564-0", "target": null }, { "id": "Unknown Malware \u2018Can't access file\u2019", "display_name": "Unknown Malware \u2018Can't access file\u2019", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Win.Trojan.Fenomengame-8", "display_name": "Win.Trojan.Fenomengame-8", "target": null }, { "id": "ALF:JASYP:Trojan:Win3", "display_name": "ALF:JASYP:Trojan:Win3", "target": null }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "display_name": "ELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Sim Swap", "display_name": "Mirai Sim Swap", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" } ], "industries": [ "Government", "Finance", "Telecommunications", "Technology", "Civil Society", "IRS" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4187, "hostname": 1574, "FileHash-SHA256": 2387, "FileHash-MD5": 189, "FileHash-SHA1": 161, "domain": 800, "CVE": 1, "email": 13, "CIDR": 1, "SSLCertFingerprint": 4 }, "indicator_count": 9317, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f0f210ec1de4316b22522", "name": "Strange Medical Facility with Overt Bad Actors Spying on Disabled", "description": "Strange Medical Facility with Overt Bad Actors already Spying on Disabled. Everything including bathroom is monitored.\nfounderintech.com\nwww.galbutfamilyfoundation.com\t\nwpengine.com\t\nhttps://foundry2sdbl.dvr.dn2.n-helix.com\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\npegasusthruster.com\t\nhttps://www.pegasusthruster.com/\t\nsmtp.pegasustech.net\nhttp://pegasusthruster.com/shoppegasus/includes/att", "modified": "2025-08-21T03:02:43.704000", "created": "2025-07-22T04:10:09.158000", "tags": [ "date", "submit url", "analysis", "passive dns", "urls", "files", "ip address", "asn as13335", "whois registrar", "creation date", "extraction", "data", "extri", "include review", "iocs", "data upload", "united", "unknown aaaa", "search", "showing", "moved", "a domains", "record value", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6560, "FileHash-MD5": 121, "FileHash-SHA1": 125, "FileHash-SHA256": 3989, "domain": 1616, "hostname": 1876, "email": 3, "CVE": 2 }, "indicator_count": 14292, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670224ac3c8cce621843a477", "name": "Man in Browser Multi-systems attack | Ransom", "description": "System wide issues. Internal and external attack affecting medical and educational institution \u2022 Man in Browser \u2022 Mail spammer. Many other priority vulnerabilities.\nShort List of Malware Families\nAtros3.AHFB\nETPRO\nNOD32\nSAPE.Heur.9B552\nSpammer:MSIL/Misnt.A\nSymantec\nTrojan:Win32/Zonsterarch\nWin.Ransomware.Sodinokibi-7013612-0\nIDS Detections\nW32/Emotet.v4 Checkin", "modified": "2024-11-05T05:02:29.649000", "created": "2024-10-06T05:48:28.806000", "tags": [ "as32934", "passive dns", "urls", "address", "search", "unknown", "aaaa", "as13414 twitter", "as19679 dropbox", "germany unknown", "france unknown", "hong kong", "asnone hong", "kong unknown", "kong", "all scoreblue", "ipv4", "files", "http", "ip address", "related nids", "files location", "flag united", "hostname", "a domains", "meta", "moved", "body", "as13768 aptum", "canada", "asnone united", "whitelisted", "url analysis", "location united", "cookie", "united states", "record type", "ttl value", "key identifier", "full name", "data", "v3 serial", "number", "cus odigicert", "cndigicert sha2", "high assurance", "server ca", "validity", "united", "as2914 ntt", "yuming", "name servers", "date", "next", "as32780 hosting", "welcome", "pulse pulses", "accept", "domainmaster", "creation date", "expiration date", "as35280 acorus", "as396982 google", "status", "cname", "united kingdom", "trojan", "service", "ransom", "pulse submit", "asn as35280", "error", "japan unknown", "post https", "post method", "medium", "high", "registry", "creates", "alerts", "contacted", "tools", "win32", "malware", "copy", "persistence", "execution", "powershell e", "script urls", "httponly set", "general", "read c", "show", "entries", "etpro trojan", "intel", "ms windows", "file", "virustotal", "write", "baidu", "vipre", "panda", "download", "main", "look", "install", "push", "sape.heur.9b552", "nod32", "symantec", "etpro", "dynamicloader", "yara rule", "stack pivoting", "cape", "maninbrowser", "mitb", "t1055", "server", "registrar abuse", "contact phone", "registrar url", "registrar", "whois lookup", "dnssec", "domain name", "attempts", "performs", "packing t1045", "browse scan", "august", "as174 cogent", "canada unknown", "overview ip", "files domain", "files related", "pulses none", "related tags", "gmt content", "type", "content length", "svr id", "encrypt", "trojandropper", "virtool", "msie", "chrome", "as45012 dogado", "tr tr", "die domain", "td tr", "gmt server", "scan endpoints", "scoreblue ipv4", "ripe route", "ip location", "asn as45012", "cloudpit dogado", "gmbh", "whois server", "reverse ip", "abuse contact", "de adminc", "ssh attacker", "mysql", "tor relays", "sabey type", "showing", "pulses", "indicator facts", "hichina zhicheng technology ltd.,", "domain", "as4837 china", "china unknown", "default", "tlsv1", "germany as34788", "post", "windows nt", "dotted quad", "fake browser", "artemis", "emotet", "as9808 china", "as56047 china", "as56040 china", "as58541 qingdao", "et trojan", "sinkhole cookie", "macoute", "sha256", "yara detections", "worm", "explorer", "possible", "april", "uchealth", "ogoogle inc", "lsalford", "ocomodo ca", "limited", "secure server", "c2087940" ], "references": [ "\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com", "prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download", "Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d", "YARA Detections: WinRAR_SFX", "High Priority Alerts: antisandbox_unhook antivirus_virustotal", "utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu", "dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu", "mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu", "extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com", "trojan.msil.spammer.ai = spammer.ai", "interact.f5.com", "https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com", "http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html", "https://bd-server.com/user/JasminMcVey2/", "http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/", "(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve", "(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US", "High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f", "Suspicious of NSO Pegasus type spyware campaign (possibly)" ], "public": 1, "adversary": "", "targeted_countries": [ "Singapore", "Malaysia", "United States of America", "Argentina", "France", "Sweden", "Ireland", "Romania", "Taiwan", "Germany", "Netherlands", "Brazil", "Colombia", "Indonesia", "Hong Kong", "Poland", "Slovakia", "Lithuania", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Slovenia", "Greece", "Italy", "Aruba", "China", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Zonsterarch", "display_name": "Trojan:Win32/Zonsterarch", "target": "/malware/Trojan:Win32/Zonsterarch" }, { "id": "Win.Ransomware.Sodinokibi-7013612-0", "display_name": "Win.Ransomware.Sodinokibi-7013612-0", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Spammer:MSIL/Misnt.A", "display_name": "Spammer:MSIL/Misnt.A", "target": "/malware/Spammer:MSIL/Misnt.A" }, { "id": "SAPE.Heur.9B552", "display_name": "SAPE.Heur.9B552", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "Symantec", "display_name": "Symantec", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "C2087940", "display_name": "C2087940", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [ "Healthcare", "Civilian Society", "Technology", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1287, "hostname": 2995, "URL": 3606, "email": 22, "FileHash-MD5": 173, "FileHash-SHA256": 1059, "FileHash-SHA1": 163, "CIDR": 1, "SSLCertFingerprint": 43 }, "indicator_count": 9349, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a4898fa85cad0af83e032d", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ", "description": "", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-15T01:25:35.060000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "659864448507cc1752ff6456", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659864448507cc1752ff6456", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:16.886000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659864357d1d3185efc5c112", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:01.457000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a581b1024ea61979da96", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "", "modified": "2023-12-06T16:46:57.782000", "created": "2023-12-06T16:46:57.782000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 5791, "hostname": 3255, "domain": 2317, "FileHash-MD5": 44, "FileHash-SHA1": 34, "URL": 11513 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657092eb7c26b2cfaf15afb2", "name": "Twitter Cards", "description": "", "modified": "2023-12-06T15:27:39.330000", "created": "2023-12-06T15:27:39.330000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 672, "domain": 647, "hostname": 803, "URL": 2896, "CVE": 1 }, "indicator_count": 5019, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://server.woool123.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://server.woool123.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638618.0394027 }