{ "type": "URL", "indicator": "https://siaberm.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://siaberm.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3850751858, "indicator": "https://siaberm.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 24, "pulses": [ { "id": "69c795bb826e6067f37ea127", "name": "'3' clone by credit: krishivpatel", "description": "", "modified": "2026-03-28T08:47:55.537000", "created": "2026-03-28T08:47:55.537000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66cc6e2c6c5bb617fa7fa892", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ddf5bda001ff2f840c20e7", "name": "Mofksys - Originated from an X.com image", "description": "Mofksys - Originated from an X.com image Clicked on image to expand. Image coded. IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWFF.COM - Seen before. Associated with Pegasus in the past. \n\n#wannacry #wannacrypt #ransomware #phishing #other_malware_packed#cabby#driveby #milesmx #keystrokes #record #screencapture #mofksys #remote access #fullaccess #code -#botnet #deadhost #otx_pulsed #hilo:", "modified": "2025-11-01T03:03:51.684000", "created": "2025-10-02T03:47:09.092000", "tags": [ "url http", "url https", "h oct", "united", "netherlands", "present apr", "passive dns", "ip address", "present jul", "domain add", "pulse pulses", "urls", "files", "trojan", "entries", "next associated", "mtb nov", "ipv4 add", "overview domain", "files ip", "address", "location united", "asn asnone", "whois registrar", "mtb apr", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3888, "domain": 1009, "hostname": 2134, "FileHash-SHA256": 2150, "CVE": 1, "FileHash-MD5": 106, "FileHash-SHA1": 107 }, "indicator_count": 9395, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d3368ae75cccf736a55441", "name": "ET TROJAN Hiloti/Mufanom Downloader Checkin | Denizbankk.net", "description": "", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-24T00:08:42.048000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": "68d332d77a7eedf3ad71c406", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d332d77a7eedf3ad71c406", "name": "Denizbankk.net \u2022 LevelBlue - Open Threat Exchange", "description": "Denizbankk.net \u2022 Debian.org \u2022 hallrender.com \u2022 alienvault.com \u2022 hopto.org \u2022 striven.com| ? | This is concerning. It\u2019s not like intended to find what I have found but I am disappointed. The few people on the platform who do their own research eventually leave with a large amount of reposters. Related to haallrendee, brian sabey and each link listed. Stange happenings this weak. [otx auto populated- Google Safe Browsing, Denizbankk.net, has been used by the Russian government to create a secure web address that can be accessed only if the user has the correct address.{", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-23T23:52:55.453000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686d28ec9208b0424e0ccad2", "name": "Remote Keylogger | Foundry", "description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.", "modified": "2025-09-19T03:02:22.742000", "created": "2025-07-08T14:19:24.211000", "tags": [ "delete", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "intel", "write", "malware", "dynamicloader", "yara rule", "high", "vmware", "phishing", "remote", "keylogger", "remote keylogger", "type indicator", "related pulses", "no expiration", "url https", "showing", "reputation", "foundry", "apple", "downloader", "trojan" ], "references": [ "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 199.59.243.226", "\u2022 ww25.vpn.steamcommunity-site.info", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Reputation.1", "display_name": "Reputation.1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [ "Telecommunications", "Technology", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 244, "FileHash-SHA256": 4406, "URL": 9684, "domain": 3164, "hostname": 3370, "CVE": 1 }, "indicator_count": 21129, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6878a18234c007a966745bd8", "name": "Malware Packed | Affecting Technology Services", "description": "", "modified": "2025-08-16T07:00:49.321000", "created": "2025-07-17T07:08:50.192000", "tags": [ "win32", "united", "trojan", "mtb apr", "ransom", "trojandropper", "win32qqpass apr", "passive dns", "entries", "lowfi", "worm", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 588, "FileHash-MD5": 124, "FileHash-SHA1": 122, "FileHash-SHA256": 1382, "CVE": 1, "domain": 179, "email": 2, "hostname": 494 }, "indicator_count": 2892, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684a93360163e8802e213158", "name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14", "description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features", "modified": "2025-07-12T07:04:05.635000", "created": "2025-06-12T08:43:34.719000", "tags": [ "thumbprint", "apnic", "apnic whois", "database", "please", "arin whois", "north america", "caribbean", "africa", "internet", "iana", "address range", "cidr", "network name", "allocation type", "whois server", "algorithm", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info", "key algorithm", "key identifier", "link", "search", "united", "a domains", "ip address", "creation date", "record value", "date", "showing", "india unknown", "status", "passive dns", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "location india", "india asn", "as133296 web", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 27, "domain": 2499, "hostname": 2651, "URL": 10986, "CIDR": 2, "FileHash-SHA256": 3596, "email": 1, "FileHash-MD5": 23, "CVE": 7 }, "indicator_count": 19792, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "281 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468505ee31db44fe063e82", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:57.123000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846860ee9b4faefae8d4cf9", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:58:22.091000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846860a0c5ff214f345717c", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:58:17.902000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468511340fb7ba8eeb7aae", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:54:09.116000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846850783baea1a6beb7e71", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. I won\u2019t be surprised if OTX cannot pull the threat. My account isn\u2019t allowing me full permissions. \n\n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:59.933000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468501eb091ae414509121", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:53.417000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468500f573317422968c7c", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:52.404000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6841039ff61dea1fcdcc53c1", "name": "Malicious WiFi Internet network | trojan.morstar/bundler", "description": "WiFi / Internet provider \nConcerning- targeting?\nhttp://www.dead-speak.com/PsychicMediums.htm | \nhttp://www.dead-speak.com/PsychicMediums.html |\nwww.dead-speak.com || https://pin.it/ | \nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian |\npin.it |", "modified": "2025-07-05T02:01:54.546000", "created": "2025-06-05T02:40:31.779000", "tags": [ "win32 exe", "pe32", "intel", "ms windows", "ms visual", "get http", "post http", "dns resolutions", "resolved ips", "symantec time", "stamping", "from", "algorithm", "thumbprint", "thumbprint md5", "signer", "g2 issuer", "ca valid", "serial number", "time stamping", "g4 issuer", "g2 valid", "usage ff", "code signing", "issuer certum", "certum code", "signing ca", "trusted network", "e5 e5", "d4 portable", "sha256", "overlay", "defense evasion", "access ta0006", "command", "control ta0011", "catalog tree", "anti", "ob0001", "analysis ob0002", "control ob0004", "ob0007 impact", "ob0012 file", "system oc0001", "memory oc0002", "data oc0004" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 156, "FileHash-SHA1": 139, "FileHash-SHA256": 3313, "URL": 1223, "domain": 186, "hostname": 313 }, "indicator_count": 5332, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "289 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66804428b487338dc16f70a7", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Said client: Jeffrey Reimer", "description": "Brian Sabey & large team continue excessive orbiting target & family members in multiple states. \nUnwarranted, dangerous and illegal. \nLarge attacks have wreaked havoc on medical establishments, targets medical profile, once profitable business, legal manipulation, financial well being. forced poverty, swatting, imfostealer, insurance fraud, intellectual property use, Audi le spying, in person stalking, confrontations, great bodily harm, loss of peace, safety. basic human rights and privacy, phone call redirection, malvertising. In the name of assaulter Jeffrey Scott Reimer", "modified": "2024-11-05T10:00:12.606000", "created": "2024-06-29T17:28:08.283000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "548 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c9bb42dd32d415f9aaa06c", "name": "Botnet exchange | NORAD Tracking | Mirai | Injection | Spyware | Remote executions", "description": "North American Aerospace Defense Command NORAD - http://superanalbizflowforum.com/tsara-lynn-brashears (really?)\nwww.norad.mil , www.northcom.mil, dodcio.defense.gov, www.defense.gov\nwww.dodig.mil, www.foia.gov , prhome.defense.gov\n, www.ourmilitary.com, www.noradsanta.org , www.web.dma.mil \nIt's hard to tell or believe military and DoD conduct business this way. I tend to think scam abuse. Exception: target, escorted by security to appt in a DHS secured b,dg. She was then told to leave after receptionist received a call stating target was a threat. Entire floor was secured off. TB beyond upset w/ my carelessness of veteran & other comments. Targets Father, brother uncles, cousins, all served honorably w/some now terminally affected &mothers passed on from Camp Lejeune related complications. Father, an engineer & veteran worked on AEGIS weapons system test team for 3 now potentially decommissioned military Destroyers. \nI apologize prefusly for comment, MIL involvement was prevalent; it remains cloudy.", "modified": "2024-09-23T09:03:54.724000", "created": "2024-08-24T10:51:46.907000", "tags": [ "server", "whois lookup", "domain name", "llc sponsoring", "registrar iana", "referral url", "tsara brashears", "referrer", "porn", "networks", "botnet campaign", "pyinstaller", "apple", "password", "cybercrime", "it consultant", "metro", "skynet", "analyzer paste", "iocs", "hostnames", "urls http", "cyber threat", "cnc server", "ibm xforce", "exchange", "covid19", "tracker", "exchange botnet", "command", "control server", "keybase", "citadel", "stealer", "zeus", "radamant", "kovter", "zbot", "suppobox", "simda", "virut", "kraken", "amonetize", "msil", "phishing", "malicious", "feodo", "united", "germany unknown", "as133775 xiamen", "unknown", "china unknown", "passive dns", "domain", "search", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware site", "malicious site", "malware", "malicious url", "files domain", "files related", "related tags", "none md5", "as35908 krypt", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "status", "record value", "all scoreblue", "meta", "trend today", "link", "japan unknown", "script urls", "script script", "name servers", "script domains", "accept", "encrypt", "gmt content", "gmt etag", "ipv4", "url analysis", "pragma", "scan endpoints", "pulse submit", "urls", "body", "date", "hostname", "pulse pulses", "react app", "verizon feed", "bq aug", "typeof e", "object", "wds socket", "error", "path max", "path", "cookie", "suspicious", "virtool", "info", "trace", "moved", "aaaa nxdomain", "files", "a domains", "as9371 sakura", "service", "servers", "xml title", "dnssec", "showing", "next", "xserver", "title", "file", "type texthtml", "sha256", "read c", "write c", "kryptik", "tls sni", "style ssl", "cert", "amazon profile", "show", "cobaltstrike", "trojan", "copy", "write", "win32", "persistence", "execution", "media", "autorun", "delete c", "trojanspy", "entries", "bytes", "jpeg image", "ole control", "menu", "dock zone", "delphi", "dcom", "form", "canvas", "nxdomain", "ds nxdomain", "mirai variant", "useragent", "hello", "apache", "world", "inbound", "outbound", "hackingtrio ua", "activity mirai", "http traffic", "malware beacon", "mirai", "exploit", "shell", "aaaa", "as14061", "trojanclicker", "expl", "kr5a head", "abuse", "agent", "virgin islands", "as19905", "expiration date", "organization", "as4134 chinanet", "as4837 china", "type get", "as48447 sectigo", "united kingdom", "content type", "arial", "secure server", "as20940", "as2914 ntt", "as3257 gtt", "as2828 verizon", "general", ".mil", "brian sabey", "brian sabey" ], "references": [ "North American Aerospace Defense Command NORAD", "superanalbizflowforum.com | www.networksolutions.com", "http://superanalbizflowforum.com/tsara-lynn-brashears", "ELF:Mirai-GH\\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ", "https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak", "ELF:Mirai-GH\\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan", "Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e", "TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd", "Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b", "VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9", "Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability", "Malware Hosting: 162.43.116.132 | 183.181.98.116", "CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution", "CVE-2017-8759 -\t\".NET Framework Remote Code Execution Vulnerability.\" CVE-2018-8453 - \"Win32k Elevation of Privilege Vulnerability.'", "dev.dancerage.com - Unknown\tdev.sportshelves.com\tA\t199.59.242.153| dev.sportshelves.com | www.imarkdev.com \u00d7 45.76.62.78 | ASN AS20473 the constant company llc", "Exploit source: 138.197.103.178", "https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812" ], "public": 1, "adversary": "IDK", "targeted_countries": [ "Japan", "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanSpy:Win32/Small", "display_name": "TrojanSpy:Win32/Small", "target": "/malware/TrojanSpy:Win32/Small" }, { "id": "Trojan:Win32/Cenjonsla.D!bit", "display_name": "Trojan:Win32/Cenjonsla.D!bit", "target": "/malware/Trojan:Win32/Cenjonsla.D!bit" }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 467, "domain": 1213, "hostname": 773, "FileHash-SHA256": 1513, "FileHash-MD5": 887, "FileHash-SHA1": 729, "CVE": 4, "email": 10, "SSLCertFingerprint": 5 }, "indicator_count": 5601, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cc6e2c6c5bb617fa7fa892", "name": "3", "description": "", "modified": "2024-08-27T03:05:18.727000", "created": "2024-08-26T11:59:40.174000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66a5c2445cf4bbf984e98861", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Krishivpatel", "id": "292085", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a5c2445cf4bbf984e98861", "name": "Social Engineering Crime Victims into Tracking Botnets | Fraud", "description": "Social Engineering 'S' Assault Victims into Tracking Botnets. This goes against basic human rights. An organization named 'The Blue Bench' referred victim to The Initiative for advocacy. She was social engineered, severely compromised and sent diverted from 'The Blue Bench' Colorado. They denied treatment for assault victim in 2022, while The Initiative ' Brian Sabey's stuff, tracked and hijacked phone and location, conversations.\nAuto-populated: \"Last HTTPS certificate\" is the last one to be issued on the internet, according to the website, and it is believed to have been signed by a member of the US government.", "modified": "2024-08-27T03:05:18.727000", "created": "2024-07-28T04:00:04.773000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666de04fd3531dc0896346a1", "name": "Skynet | Emotet | Nivdort | WhiteSky Communications_SPOOFED | Denver, Co", "description": "ISP of targets very close associate is spoofed. Ad. Full CnC . It's all there. Pulse better NOT be modified. Jeffrey Scott Reimer DPT who allegedly SA'd target hasn't been put under ANY scrutiny, a weakly written police report exists. A very healthy very fit woman who went to physical therapy left with a spinal cord injury, ACM, TBI, central nervous system injuries, separated hips & SI joints due to the great force of 'SA'. A letter from an MD demanded investigation as to how target ended up with injuries she didn't arrive with. Minor injury. Placed at MMI by 1st PT. It was insisted she to go to Reimer. She has a power wheelchair now. Now victim is a suspect needing to be surveilled. PT is now victim of unnamed crime against this 6'3 brut. Hacker Brian Sabey states Reimer hired him. Surveillance, bold confrontations, physically, verbally & cyber attacks need to stop. Countless SA victims probably go through something, but this? Shhhh. Silence please. Reimer needs to live his life.", "modified": "2024-08-14T06:01:01.267000", "created": "2024-06-15T18:41:19.343000", "tags": [ "historical ssl", "referrer", "project skynet", "cyber army", "page dow", "poser", "scammer", "security", "bitfender", "parked", "read c", "search", "show", "high", "unknown", "united", "pe32", "intel", "ms windows", "entries", "copy", "hupigon", "upatre", "explorer", "write", "win32", "malware", "defender", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "files", "get na", "possible", "sinkhole cookie", "value snkz", "medium", "nivdort", "service", "next", "arbor networks", "pulse pulses", "body", "contact", "date", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "span", "june", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "ip address", "domain", "ip related", "as55293 a2", "status", "as8068", "creation date", "otx telemetry", "emails", "expiration date", "name servers", "america asn", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "win32 exe", "identifier", "info", "dns replication", "technology", "passive", "user", "downloads", "text", "internet files", "storage", "firefox c", "pings c", "written c", "files deleted", "destination ip", "threat roundup", "april", "september", "october", "december", "january", "august", "hr rtd", "bot networks", "listen", "awful", "skynet", "ptls7", "clng", "cdate", "ygjpaufscontext", "flashpix", "bhja", "error resume", "voun2hd", "odx3x33jk9w3", "false", "template", "crash", "emotet", "project", "pe32 executable", "win16 ne", "os2 executable", "generic windos", "executable", "vs2008", "data rticon", "kyrgyz default", "default", "rticon kyrgyz", "info compiler", "products", "vs2005", "header intel", "name md5", "domains", "csc corporate", "com laude", "registrarsafe", "namecheap inc", "psiusa", "domain robot", "ii llc", "hetzner online", "gmbh", "type name", "file type", "kb file", "ip detections", "country", "contacted", "hashes", "file system", "pegasus", "targets sa", "survivor", "matches rule", "virus network", "comcast", "hiddentear", "critical", "installer", "targets tsara brashears", "trojan evader", "trojan malware", "npzk765", "content type", "a domains", "as16276", "body doctype", "public w3cdtd", "xhtml", "xmlns http", "gmt server", "accept", "graph", "http requests", "connect", "dns resolutions", "ip traffic", "remote debian spy", "search debian available space", "hacking", "targeting", "indostealer", "law firm", "showing", "x00x00", "trustinfo", "registry", "external ip", "observed", "administrator", "persistence", "execution", "hallrender", "west domains", "trojan", "memcommit", "pe section", "low software", "packing t1045", "t1045", "pe resource", "jeffrey scott reimer" ], "references": [ "https://whiteskycommunications.com/_Spoofed", "https://otx.alienvault.com/indicator/file/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031", "213.91.128.133 CnC AS 8866 (Vivacom Bulgaria EAD) BG - Miner", "0039ca3853af262af65326399713d4e45340eec4c3ea789be19335f06f090993", "Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority Matches rule ET POLICY Cryptocurrency Miner Checkin Matches rule PUA-OTHER Cryptocurrency Miner outbound connection attempt", "https://twitter.com/PORNO_SEXYBABES", "IDS Detections: Win32/Emotet CnC Activity (POST) M9 GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1", "https://otx.alienvault.com/indicator/file/0274c7ffe81ebc6310a2857348a6653d0abbfca780238a854992b7b786bb1d72", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html - scrubbed and for sale.", "https://mypornsnap.top/photos/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears thousands of sites surfaced online", "It has taken years to slow the constant malicious DGA domains , they still keep smearing target only.", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "http://www.metanetworks.org/tsara-lynn-brashears-dead", "hxxps://onlyindianporn.net/videos/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Infostealer/Win.SmokeLoader.R439087", "display_name": "Infostealer/Win.SmokeLoader.R439087", "target": null }, { "id": "Alibaba Ransom:Win32/StopCrypt", "display_name": "Alibaba Ransom:Win32/StopCrypt", "target": "/malware/Alibaba Ransom:Win32/StopCrypt" }, { "id": "W32.AIDetect.malware2", "display_name": "W32.AIDetect.malware2", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ALF:TrojanSpy:Nivdort", "display_name": "ALF:TrojanSpy:Nivdort", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Trojan:Win32/Glupteba.RQ!MSR", "display_name": "Trojan:Win32/Glupteba.RQ!MSR", "target": "/malware/Trojan:Win32/Glupteba.RQ!MSR" }, { "id": "Win.Dropper.Tofsee-9799489-0", "display_name": "Win.Dropper.Tofsee-9799489-0", "target": null }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 334, "FileHash-SHA1": 332, "FileHash-SHA256": 2760, "URL": 3080, "domain": 2294, "hostname": 1436, "CVE": 1, "email": 7, "CIDR": 1, "SSLCertFingerprint": 2 }, "indicator_count": 10247, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6683aae863ba601bac1a28b5", "name": "Zombie.A \u2022 Bayrob in fake malware information website.", "description": "Incredibly malicious IoC's found in a legitimate appearing website with informative information. Prominently appears at top of targets search results. \n https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png\nMultiple government domains behind website. Honeypot?", "modified": "2024-08-01T06:03:26.298000", "created": "2024-07-02T07:23:20.582000", "tags": [ "ukraine", "referrer", "deploys fake", "uue files", "fsociety", "target colombia", "judiciary", "financial", "public", "tools", "sector", "mexico", "aka xloader", "html", "html info", "title", "meta tags", "google tag", "utc gnr5gzhd545", "utc na", "utc aw944900006", "utc linkedin", "formbook", "accept", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "apache", "so funny", "click", "urls", "passive dns", "http", "unique", "scan endpoints", "all octoseek", "url http", "ip address", "related nids", "code", "united", "as54113", "unknown", "aaaa", "as15169 google", "as46691", "status", "cname", "search", "whitelisted", "body", "date", "msil", "meta", "third-party-cookies", "iframes", "external-resources", "text/html", "trackers", "end game", "name servers", "select contact", "domain holder", "nexus category", "creation date", "showing", "date hash", "avast avg", "trojan", "mtb may", "dynamicloader", "high", "medium", "yara detections", "sniffs", "attempts", "alternate data", "stream", "a foreign", "cultureneutral", "get na", "show", "delete c", "entries", "cape", "delete", "default", "copy", "nivdort", "write", "trojanspy", "bayrob", "malware", "eagle eyed", "nonads", "path max", "age86400 set", "cookie", "script urls", "type", "script script", "win32 exe", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "exe32", "compiler", "vs98", "contained", "simplified", "info compiler", "products", "sp6 build", "header intel", "name md5", "language", "not found", "rules not", "mitre", "info ids", "found sigma", "found", "files not", "found network", "getlasterror", "icons library", "os2 executable", "files", "file type", "kb file", "name", "type name", "ip detections", "country", "gandi sas", "dynadot", "enom", "namecheap", "dynadot inc", "namecheap inc", "dynadot llc", "domains", "tucows domains", "melbourne it", "historical ssl", "realteck audio", "problems", "lemon duck", "iocs", "sneaky server", "replacement", "unauthorized", "windows", "windir", "samplepath", "user", "process", "created", "shell commands", "windefend", "created bus", "tree", "registry keys", "reports upgrade", "keys set", "upgradestart", "dword", "data registry", "keys deleted", "reports", "get http", "request", "http requests", "ip traffic", "dns resolutions", "resolutions", "mitre att", "defense evasion", "ta0007 command", "control ta0011", "impact ta0034", "impact ta0040", "graph", "bundled files", "name file", "contacted ip", "users", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "tulach", "rexxfield", "milesit", "cp", "self deleting", "stuff", "copying", "packages found", "targeting major", "injects ads", "into search", "results", "overlay", "text", "win32 dll", "javascript", "db2maestro", "open ports", "ipv4", "pulse submit", "url analysis", "expiration date", "hostname", "next", "ten process", "utc facebook", "utc google", "title ten", "blog meta", "tags", "elastic blog", "bing ads", "as8068", "certificate", "otx telemetry", "ref b", "record value", "emails", "please", "win32", "x msedge", "pulse pulses", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "safe site", "mail spammer", "million", "malware site", "phishing site", "malicious site", "bank", "fuery", "unsafe", "malicious", "alexa", "zbot", "asn as16625", "akamai", "less", "is2osecurity", "domain name", "active", "as21342", "domain", "location israel", "asn as1680", "invalid url", "body html", "head title", "title head", "body h1", "reference", "log id", "gmtn", "digicert tls", "rsa sha256", "tls web", "full name", "digicert inc", "organization", "district", "columbia", "false", "as20940", "as16625 akamai", "as8987 amazon", "moved", "as1680 cellcom", "alerts", "related pulses", "guard", "dynamic", "reads", "https link", "as8075", "record type", "ttl value", "redacted for", "privacy tech", "privacy admin", "postal code", "stateprovince", "server", "email", "office open", "ms word", "document", "xml document", "xml spreadsheet", "email trash", "rich text", "pdf tripwire", "fall", "whois lookups", "contact email", "blind eagle", "brian sabey" ], "references": [ "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Alerts: cape_detected_threat cape_extracted_content", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "http://Object.prototype.hasOwnProperty.call", "Tulach! It's been a minute - 114.114.114.114", "What's going on here judiciary? Karen - cisa.gov? e.final", "f.search schema.org t.final", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV" ], "public": 1, "adversary": "Blind Eagle", "targeted_countries": [ "United States of America", "Colombia", "Netherlands", "Israel" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "trojan.bayrob/lazy", "display_name": "trojan.bayrob/lazy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1167, "FileHash-SHA1": 738, "FileHash-SHA256": 3074, "URL": 1019, "domain": 1639, "hostname": 973, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 8623, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f2c0105aaf9e1db540dc", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Jeffery Scott Reimer Assault ", "description": "", "modified": "2024-07-29T16:00:46.118000", "created": "2024-07-01T00:05:20.043000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": "66804428b487338dc16f70a7", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2091, "hostname": 547, "URL": 1254, "FileHash-MD5": 425, "FileHash-SHA256": 2161, "SSLCertFingerprint": 2, "FileHash-SHA1": 426, "CVE": 2, "email": 8 }, "indicator_count": 6916, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "629 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6680447d3a533233ed48b5e5", "name": "Trojan:Linux/Xorddos | Trojan:Win32/Zombie.A | TrojanClicker:Win32/Ellell.A ", "description": "", "modified": "2024-07-29T16:00:46.118000", "created": "2024-06-29T17:29:33.778000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": "66804428b487338dc16f70a7", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2091, "hostname": 547, "URL": 1254, "FileHash-MD5": 425, "FileHash-SHA256": 2161, "SSLCertFingerprint": 2, "FileHash-SHA1": 426, "CVE": 2, "email": 8 }, "indicator_count": 6916, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "629 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "What's going on here judiciary? Karen - cisa.gov? e.final", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "f.search schema.org t.final", "It has taken years to slow the constant malicious DGA domains , they still keep smearing target only.", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA1 48dc18f70b2dfdf554e8247eb9e4a8910e19bd3b", "Bayrob: 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69 ef55e2c918f9678e97037d5505b0c8a3.virus", "Malware Behavior Catalog: Dynamic Analysis Evasion B0003 \u2022 Create File C0016 \u2022 Create Process C0017 \u2022 Create Thread C0038", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Malware Behavior Catalog: Defense Evasion OB0006 \u2022 Delayed Execution B0003.003 \u2022 Move File C0063 \u2022 Process Environment Block B0001.019", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "[dhs gov] https://otx.alienvault.com/indicator/domain/dhs.gov \u2022 https://otx.alienvault.com/indicator/url/https:%2F%2Fwww.cisa.gov%2Fcybersecurity-advisories%2Fics-advisories.xml", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "Trojan:Win32/SmokeLoader : FileHash-SHA256 29d85b4c2d52a8bcb081aa40e3d4334a864e988e1fe17933f903b4114be8e56e", "Malware Behavior Catalog: COMSPEC Environment Variable F0007.001 \u2022 Install Additional Program B0023 \u2022 Delete File C0047 \u2022", "Domains Contacted: electricpresident.net recordcaught.net electriccaught.net streetstrong.net tradestrong.net", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://hallrender.com/attorney/brian-sabey", "CVE-2017-17215 - Huawei HG532 RCE Vulnerability / Huawei Remote Command Execution - Outbound / Huawei Remote Command Execution", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "\u2022 ww25.vpn.steamcommunity-site.info", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Alerts: infostealer_cookies infostealer_keylog persistence_ads suspicious_command_tools anomalous_deletefile", "https://otx.alienvault.com/indicator/file/0274c7ffe81ebc6310a2857348a6653d0abbfca780238a854992b7b786bb1d72", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "Trojan:Win32/Zombie.A: FileHash-SHA256: 72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "North American Aerospace Defense Command NORAD", "Ransomware: FileHash-SHA256 557f1759be4fdf6b9dff732c8e8aa369f4d7f9fe61a0c462c0dc8d30c2973812", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "Malware Behavior Catalog: Operating System OC0008 \u2022 Environment Variable C0034 \u2022 Self Deletion F0007 \u2022 : Tree Anti-Behavioral Analysis", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "https://otx.alienvault.com/indicator/domain/asp.net \u2022 https://otx.alienvault.com/indicator/hostname/ts1.mm.bing.net", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "Trojan:Win32/Cenjonsla.D!bit : FileHash-SHA256 8d5fe61f75602c85c9cd196e7accc17e119191655d4ecd56da498663f5a8c92b", "Malware : http://gomyron.com/MTgzNjk=/2/6433/ronnoagraug/ - Huawei HG532 RCE Vulnerability", "213.91.128.133 CnC AS 8866 (Vivacom Bulgaria EAD) BG - Miner", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 215fbe9cf76ccbdde60eaa66538edeecadb844078b4379e66cacb83c7ac05690", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "https://whiteskycommunications.com/_Spoofed", "Matches rule PROTOCOL-ICMP PING Windows Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP", "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Matches rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Malware Hosting: http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", "Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "IDS Detections: Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin 403 Forbidden", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Bayrob: FileHash-SHA256 3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "dev.dancerage.com - Unknown\tdev.sportshelves.com\tA\t199.59.242.153| dev.sportshelves.com | www.imarkdev.com \u00d7 45.76.62.78 | ASN AS20473 the constant company llc", "https://ladys.one/xxx/a-tsara-brashears-zafira-porn", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "[cisa gov] https://otx.alienvault.com/indicator/domain/cisa.gov \u2022 [hq.dhs.gov] https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "trojan.cosmu/xpiro - 960879004e1059a9e7eaca7b95f45ab9baf8f5b905e2714f1c65f92244396758", "superanalbizflowforum.com | www.networksolutions.com", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "Victim was then given numbers to workers compensation doctors who didn't speak English", "https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/file/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031", "https://otx.alienvault.com/indicator/file/72bd98a9157afcd3ae38b60a7cf3ae4f23d6bb069a7aa7be7080b6967a6cf0cc", "Malware Behavior Catalog: Get File Attributes C0049 \u2022 Set File Attributes C0050 \u2022 Read File C0051 \u2022 Writes File C0052", "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "compromised_site_redirector_fromcharcode fromCharCode", "https://www.blackberry.com/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/cylance-web/global/bb-default-thumbnail-social.png", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "Tulach! It's been a minute - 114.114.114.114", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Alerts: cape_detected_threat cape_extracted_content", "Malware Behavior Catalog: Tree Anti-Behavioral: Environment Variable C0034 \u2022 Anti-Behavioral Analysis OB0001 \u2022 Process OC0003", "https://otx.alienvault.com/indicator/url/www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Bayrob: FileHash-MD5 871f1532a8f0f9cf9ec3e82b5da3a120", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority Matches rule ET POLICY Cryptocurrency Miner Checkin Matches rule PUA-OTHER Cryptocurrency Miner outbound connection attempt", "CVE-2017-8759 -\t\".NET Framework Remote Code Execution Vulnerability.\" CVE-2018-8453 - \"Win32k Elevation of Privilege Vulnerability.'", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door.", "Was told by advocate that his description matches the male in vehicle following her for months.", "IDS Detections: Win32/Emotet CnC Activity (POST) M9 GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Malware Hosting: 162.43.116.132 | 183.181.98.116", "Alerts: creates_largekey script_created_process antisandbox_mouse_hook antivm_generic_disk dead_connect", "https://twitter.com/PORNO_SEXYBABES", "Security Contact Email: 212d0c197dca818es@hq.dhs.gov \u2022ACTIVE Domain Name: DHS.GOV", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "hxxps://onlyindianporn.net/videos/tsara-brashears/", "Domains Contacted: bettercaught.net electricstrong.net recordtrouble.net electrictrouble.net recordpresident.net", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "http://www.metanetworks.org/tsara-lynn-brashears-dead", "TrojanSpy:Win32/Nivdort.CW: FileHash-MD5\t9d6de961a498f831acb63c95e7b2ff0c", "Malware Behavior Catalog: System Information Discovery E1082 \u2022 File and Directory Discovery E1083 \u2022 Execution OB0009 \u2022 File System OC0001", "0039ca3853af262af65326399713d4e45340eec4c3ea789be19335f06f090993", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t3744b06ebb5465c1b3601abc9899e0448c3bb53e81ad6a3101780ab94931ba69", "Trojan:Win32/Zombie.A: FileHash-SHA1: 1fa3519b200cf5078c1c6c7df1cf44cd747c2320", "http://Object.prototype.hasOwnProperty.call", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "Matches rule ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "TrojanSpy:Win32/Small : FileHash-SHA256 afec8925c79d6bb948ce08df54753268f63b4cb770456e6b623d9985fb1499cd", "Alerts: (cisa gov) ransomware_file_modifications script_created_process antisandbox_mouse_hook antivm_generic_disk infostealer_cookies suspicious_command_tools antidebug_guardpages dynamic_function_loading reads_self stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "ELF:Mirai-GH\\ [Trj] Trojan:Win32/Cenjonsla.D!bit Trojan:Win32/SmokeLoader TrojanSpy:Win32/Small VirTool:Win32/Injector.gen!BQ", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-MD5 da9b9e892ced7ec90841d813f6e42339", "ALF:JASYP:TrojanDownloader:Win32/Quireap!atmn: FileHash-SHA256 18f62aec151e9f17c55987f80ed1244d9812895018d2bc931df083fb846a52dc", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "Bayrob: FileHash-SHA1 ad560bee21bf7aefc1f1a1be2762d852c7301c07", "\u2022 199.59.243.226", "https://www.virustotal.com/gui/search/engines:trojan%20AND%20engines:dropper%20AND%20engines:razy%20AND%20engines:copak", "Malware Behavior Catalog: Tree Anti-Behavioral Analysis: C0017 Create Thread \u2022 C0038 Operating System \u2022 Debugger Detection B0001", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "http://superanalbizflowforum.com/tsara-lynn-brashears", "Be did wear a gator making it improbable for positive identification", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "ELF:Mirai-GH\\ [Trj] : FileHash-SHA256 866dfa8f3e4f4f26b70fd046fa6dcbc16eea1abc3bfaddb099d675e77ce26942 trojan", "[https://cisa gov] https://otx.alienvault.com/indicator/ip/92.123.203.73 \u2022 https://otx.alienvault.com/indicator/hostname/hq.dhs.gov", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html - scrubbed and for sale.", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "ACTIVE Emails: IS2OSecurity@hq.dhs.gov \u2022 CISA.GOV Status \u2022 schoolsafety.gov \u2022 power2prevent.gov \u2022 is2osecurity@hq.dhs.gov", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-MD5: 36b71d23ca7553fb9db0730e56e6bf77", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "https://mypornsnap.top/photos/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears thousands of sites surfaced online", "VirTool:Win32/Injector.gen!BQ : FileHash-SHA256 a23846fe9a306c84eb1fb2b6b0b2b3a5fdbd958f747a10ccdb435d97e35de6f9", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Exploit source: 138.197.103.178" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Blind Eagle", "IDK" ], "malware_families": [ "Worm:win32/fesber.a", "Alf:heraklezeval:rogue:win32/fakerean", "Pegasus for ios - s0289", "Win32:dropperx-gen\\ [drp]", "Pws:win32/ymacco.aa50", "Trojandownloader:win32/nemucod", "Win32:malware-gen", "Skynet", "Alibaba ransom:win32/stopcrypt", "Bayrob", "Alf:trojanspy:nivdort", "Reputation.1", "Trojan.bayrob/lazy", "Pegasus for android - mob-s0032", "Emotet", "Trojan:win32/cenjonsla.d!bit", "W32.aidetect.malware2", "Trojan:linux/xorddos", "Trojanspy:win32/small", "Trojan:win32/glupteba.rq!msr", "Backdoor:win32/fynloski.a", "Trojanclicker:win32/ellell.a", "Win.virus.teslacrypt3-2/custom", "Unruy", "Virtool:win32/injector.gen!bq", "Elf:mirai-gh\\ [trj]", "Alf:jasyp:trojandownloader:win32/quireap!atmn", "Cryp_xed-12", "Trojanspy:win32/nivdort.cw", "Ransom:win32/tescrypt", "Upackv037dwing", "Infostealer/win.smokeloader.r439087", "Trojanspy:win32/nivdort", "Worm:win32/macoute.a", "Trojan:win32/smokeloader", "Win.dropper.tofsee-9799489-0", "Trojan:win32/zombie.a", "Ransom:win32/eniqma.a", "Formbook", "Mal/generic-s", "Ransom:win32/haperlock.a", "Apnic", "Tofsee", "Pws:win32/qqpass.b!mtb", "Ransomware", "Sakula rat" ], "industries": [ "Media", "Technology", "Civil society", "Telecommunications" ], "unique_indicators": 121560 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/siaberm.com", "whois": "http://whois.domaintools.com/siaberm.com", "domain": "siaberm.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 24, "pulses": [ { "id": "69c795bb826e6067f37ea127", "name": "'3' clone by credit: krishivpatel", "description": "", "modified": "2026-03-28T08:47:55.537000", "created": "2026-03-28T08:47:55.537000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66cc6e2c6c5bb617fa7fa892", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ddf5bda001ff2f840c20e7", "name": "Mofksys - Originated from an X.com image", "description": "Mofksys - Originated from an X.com image Clicked on image to expand. Image coded. IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWFF.COM - Seen before. Associated with Pegasus in the past. \n\n#wannacry #wannacrypt #ransomware #phishing #other_malware_packed#cabby#driveby #milesmx #keystrokes #record #screencapture #mofksys #remote access #fullaccess #code -#botnet #deadhost #otx_pulsed #hilo:", "modified": "2025-11-01T03:03:51.684000", "created": "2025-10-02T03:47:09.092000", "tags": [ "url http", "url https", "h oct", "united", "netherlands", "present apr", "passive dns", "ip address", "present jul", "domain add", "pulse pulses", "urls", "files", "trojan", "entries", "next associated", "mtb nov", "ipv4 add", "overview domain", "files ip", "address", "location united", "asn asnone", "whois registrar", "mtb apr", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3888, "domain": 1009, "hostname": 2134, "FileHash-SHA256": 2150, "CVE": 1, "FileHash-MD5": 106, "FileHash-SHA1": 107 }, "indicator_count": 9395, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d3368ae75cccf736a55441", "name": "ET TROJAN Hiloti/Mufanom Downloader Checkin | Denizbankk.net", "description": "", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-24T00:08:42.048000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": "68d332d77a7eedf3ad71c406", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d332d77a7eedf3ad71c406", "name": "Denizbankk.net \u2022 LevelBlue - Open Threat Exchange", "description": "Denizbankk.net \u2022 Debian.org \u2022 hallrender.com \u2022 alienvault.com \u2022 hopto.org \u2022 striven.com| ? | This is concerning. It\u2019s not like intended to find what I have found but I am disappointed. The few people on the platform who do their own research eventually leave with a large amount of reposters. Related to haallrendee, brian sabey and each link listed. Stange happenings this weak. [otx auto populated- Google Safe Browsing, Denizbankk.net, has been used by the Russian government to create a secure web address that can be accessed only if the user has the correct address.{", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-23T23:52:55.453000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686d28ec9208b0424e0ccad2", "name": "Remote Keylogger | Foundry", "description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.", "modified": "2025-09-19T03:02:22.742000", "created": "2025-07-08T14:19:24.211000", "tags": [ "delete", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "intel", "write", "malware", "dynamicloader", "yara rule", "high", "vmware", "phishing", "remote", "keylogger", "remote keylogger", "type indicator", "related pulses", "no expiration", "url https", "showing", "reputation", "foundry", "apple", "downloader", "trojan" ], "references": [ "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 199.59.243.226", "\u2022 ww25.vpn.steamcommunity-site.info", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Reputation.1", "display_name": "Reputation.1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [ "Telecommunications", "Technology", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 244, "FileHash-SHA256": 4406, "URL": 9684, "domain": 3164, "hostname": 3370, "CVE": 1 }, "indicator_count": 21129, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6878a18234c007a966745bd8", "name": "Malware Packed | Affecting Technology Services", "description": "", "modified": "2025-08-16T07:00:49.321000", "created": "2025-07-17T07:08:50.192000", "tags": [ "win32", "united", "trojan", "mtb apr", "ransom", "trojandropper", "win32qqpass apr", "passive dns", "entries", "lowfi", "worm", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 588, "FileHash-MD5": 124, "FileHash-SHA1": 122, "FileHash-SHA256": 1382, "CVE": 1, "domain": 179, "email": 2, "hostname": 494 }, "indicator_count": 2892, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684a93360163e8802e213158", "name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14", "description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features", "modified": "2025-07-12T07:04:05.635000", "created": "2025-06-12T08:43:34.719000", "tags": [ "thumbprint", "apnic", "apnic whois", "database", "please", "arin whois", "north america", "caribbean", "africa", "internet", "iana", "address range", "cidr", "network name", "allocation type", "whois server", "algorithm", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info", "key algorithm", "key identifier", "link", "search", "united", "a domains", "ip address", "creation date", "record value", "date", "showing", "india unknown", "status", "passive dns", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "location india", "india asn", "as133296 web", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 27, "domain": 2499, "hostname": 2651, "URL": 10986, "CIDR": 2, "FileHash-SHA256": 3596, "email": 1, "FileHash-MD5": 23, "CVE": 7 }, "indicator_count": 19792, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "281 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68468505ee31db44fe063e82", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:53:57.123000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846860ee9b4faefae8d4cf9", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:58:22.091000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846860a0c5ff214f345717c", "name": "Crowdsourced research | IP 192.229.221.95", "description": "Crowdsourced research. \t\nLegitimately contracted for all forms of surveillance & other unspeakable jobs against crime victims.\nThis is as dangerous as it gets. The targets are sometimes individuals with absolutely no means of escape, I am speaking for crime victims, investigative journalists, insiders, informants, etc. This is outrageous. The highest level of threat as this is a global operation, primarily in the US with endless resources. No exaggerations. The warfare could , has and has been attempted to result in loss of life. There is quite a bit of information available regarding this merciless, meritless attacks. OTX isn\u2019t allowing full permissions. \n| 1003.v.vgt.pl |\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | \nfoundry2-lbl.dvr.dn2.n-helix.com | \n192.229.221.95 | \ndns0.org | cdnfastly.net", "modified": "2025-07-09T05:00:24.293000", "created": "2025-06-09T06:58:17.902000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 284, "FileHash-SHA1": 285, "FileHash-SHA256": 3666, "domain": 511, "hostname": 845, "URL": 3282, "CVE": 2, "email": 1 }, "indicator_count": 8876, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://siaberm.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://siaberm.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776661221.1795278 }