{ "type": "URL", "indicator": "https://social.yandex.kg", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://social.yandex.kg", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3396787304, "indicator": "https://social.yandex.kg", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c5dcd42da951f32ee24e0f", "name": "https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashesrs", "description": "", "modified": "2024-08-21T12:25:56.328000", "created": "2024-08-21T12:25:56.328000", "tags": [ "cins active", "poor reputation", "host", "threats et", "ip tcp", "detection list", "ip address", "blacklist", "macedonia", "former yugoslav", "site", "cisco umbrella", "alexa top", "million", "alexa", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "paypal", "team phishing", "blacknet rat", "loki password", "stealer", "malicious url", "malicious site", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "blacknet", "site top", "million alexa", "safe site", "malware", "genpack", "deepscan", "cobalt strike", "malicious", "zbot", "memscan", "cl0p", "cyber threat", "heur", "engineering", "united", "covid19", "malicious host", "team", "virut", "nymaim", "pony", "ransomware", "bradesco", "opencandy", "ramnit", "adload", "simda", "zeus", "pykspa", "riskware", "generic", "artemis", "downldr", "binder", "sutra", "steam", "asyncrat", "revengerat", "downloader", "exploit", "emailworm", "agent", "tinba", "maltiverse safe", "generic malware", "phishing site", "outbrowse", "suppobox", "vawtrak", "solimba", "wacatac", "msil", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "dropper", "mediaget", "crack", "blacklist http", "ascii text", "nysp", "appdata", "jpeg image", "jfif standard", "file", "0xeae6b5", "function", "0x308d49", "x6a4", "push", "shift", "cookie", "slice", "path", "window", "error", "false", "hybrid", "crypto", "open", "blank", "template", "target", "trim", "write", "period", "touchmove", "click", "close", "body", "screen", "android", "canvas", "class", "span", "trident", "accept", "general", "local", "html", "unsafe", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "trojanx", "webshell", "iframe", "patcher", "driverpack", "union", "maltiverse", "blacklist https", "google", "noname057", "redlinestealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "655d0ec7b7cb12c66cac457d", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 884, "hostname": 1809, "FileHash-MD5": 635, "FileHash-SHA1": 321, "FileHash-SHA256": 2079, "CVE": 16, "URL": 6434 }, "indicator_count": 12178, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "649 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655d0ec7b7cb12c66cac457d", "name": "https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip", "description": "Exploit\nContains escaped byte string (often part of obfuscated shellcode), Malicious\nhttps://www.profitabledisplaycontent.com/watch.375255570190.js, Malvertizing a true crime, child pornographer.\n\nSource: https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip\n\nResource: https://www.hybrid-analysis.com/sample/f0233084bd810eb266cd29a879dc58d84c2a85032ba58b4b50d5643e7a41a144/655cf15b9f12303f990942e9", "modified": "2023-12-21T19:03:27.243000", "created": "2023-11-21T20:10:47.792000", "tags": [ "cins active", "poor reputation", "host", "threats et", "ip tcp", "detection list", "ip address", "blacklist", "macedonia", "former yugoslav", "site", "cisco umbrella", "alexa top", "million", "alexa", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "paypal", "team phishing", "blacknet rat", "loki password", "stealer", "malicious url", "malicious site", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "blacknet", "site top", "million alexa", "safe site", "malware", "genpack", "deepscan", "cobalt strike", "malicious", "zbot", "memscan", "cl0p", "cyber threat", "heur", "engineering", "united", "covid19", "malicious host", "team", "virut", "nymaim", "pony", "ransomware", "bradesco", "opencandy", "ramnit", "adload", "simda", "zeus", "pykspa", "riskware", "generic", "artemis", "downldr", "binder", "sutra", "steam", "asyncrat", "revengerat", "downloader", "exploit", "emailworm", "agent", "tinba", "maltiverse safe", "generic malware", "phishing site", "outbrowse", "suppobox", "vawtrak", "solimba", "wacatac", "msil", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "dropper", "mediaget", "crack", "blacklist http", "ascii text", "nysp", "appdata", "jpeg image", "jfif standard", "file", "0xeae6b5", "function", "0x308d49", "x6a4", "push", "shift", "cookie", "slice", "path", "window", "error", "false", "hybrid", "crypto", "open", "blank", "template", "target", "trim", "write", "period", "touchmove", "click", "close", "body", "screen", "android", "canvas", "class", "span", "trident", "accept", "general", "local", "html", "unsafe", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "trojanx", "webshell", "iframe", "patcher", "driverpack", "union", "maltiverse", "blacklist https", "google", "noname057", "redlinestealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 884, "hostname": 1809, "FileHash-MD5": 635, "FileHash-SHA1": 321, "FileHash-SHA256": 2079, "CVE": 16, "URL": 6434 }, "indicator_count": 12178, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655d0f94ad4d7cdc5e3f0a98", "name": "BlackNET", "description": "Exploit\nContains escaped byte string (often part of obfuscated shellcode), Malicious\nhttps://www.profitabledisplaycontent.com/watch.375255570190.js, Malvertizing a true crime, child pornographer.\n\nSource: https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip\n\nResource: https://www.hybrid-analysis.com/sample/f0233084bd810eb266cd29a879dc58d84c2a85032ba58b4b50d5643e7a41a144/655cf15b9f12303f990942e9", "modified": "2023-12-21T19:03:27.243000", "created": "2023-11-21T20:14:12.454000", "tags": [ "cins active", "poor reputation", "host", "threats et", "ip tcp", "detection list", "ip address", "blacklist", "macedonia", "former yugoslav", "site", "cisco umbrella", "alexa top", "million", "alexa", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "paypal", "team phishing", "blacknet rat", "loki password", "stealer", "malicious url", "malicious site", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "blacknet", "site top", "million alexa", "safe site", "malware", "genpack", "deepscan", "cobalt strike", "malicious", "zbot", "memscan", "cl0p", "cyber threat", "heur", "engineering", "united", "covid19", "malicious host", "team", "virut", "nymaim", "pony", "ransomware", "bradesco", "opencandy", "ramnit", "adload", "simda", "zeus", "pykspa", "riskware", "generic", "artemis", "downldr", "binder", "sutra", "steam", "asyncrat", "revengerat", "downloader", "exploit", "emailworm", "agent", "tinba", "maltiverse safe", "generic malware", "phishing site", "outbrowse", "suppobox", "vawtrak", "solimba", "wacatac", "msil", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "dropper", "mediaget", "crack", "blacklist http", "ascii text", "nysp", "appdata", "jpeg image", "jfif standard", "file", "0xeae6b5", "function", "0x308d49", "x6a4", "push", "shift", "cookie", "slice", "path", "window", "error", "false", "hybrid", "crypto", "open", "blank", "template", "target", "trim", "write", "period", "touchmove", "click", "close", "body", "screen", "android", "canvas", "class", "span", "trident", "accept", "general", "local", "html", "unsafe", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "trojanx", "webshell", "iframe", "patcher", "driverpack", "union", "maltiverse", "blacklist https", "google", "noname057", "redlinestealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 884, "hostname": 1809, "FileHash-MD5": 635, "FileHash-SHA1": 321, "FileHash-SHA256": 2079, "CVE": 16, "URL": 6434 }, "indicator_count": 12178, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655d0edbb8c22bcb4e5969b8", "name": "https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip", "description": "Exploit\nContains escaped byte string (often part of obfuscated shellcode), Malicious\nhttps://www.profitabledisplaycontent.com/watch.375255570190.js, Malvertizing a true crime, child pornographer.\n\nSource: https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip\n\nResource: https://www.hybrid-analysis.com/sample/f0233084bd810eb266cd29a879dc58d84c2a85032ba58b4b50d5643e7a41a144/655cf15b9f12303f990942e9", "modified": "2023-12-21T19:03:27.243000", "created": "2023-11-21T20:11:07.064000", "tags": [ "cins active", "poor reputation", "host", "threats et", "ip tcp", "detection list", "ip address", "blacklist", "macedonia", "former yugoslav", "site", "cisco umbrella", "alexa top", "million", "alexa", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "paypal", "team phishing", "blacknet rat", "loki password", "stealer", "malicious url", "malicious site", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "blacknet", "site top", "million alexa", "safe site", "malware", "genpack", "deepscan", "cobalt strike", "malicious", "zbot", "memscan", "cl0p", "cyber threat", "heur", "engineering", "united", "covid19", "malicious host", "team", "virut", "nymaim", "pony", "ransomware", "bradesco", "opencandy", "ramnit", "adload", "simda", "zeus", "pykspa", "riskware", "generic", "artemis", "downldr", "binder", "sutra", "steam", "asyncrat", "revengerat", "downloader", "exploit", "emailworm", "agent", "tinba", "maltiverse safe", "generic malware", "phishing site", "outbrowse", "suppobox", "vawtrak", "solimba", "wacatac", "msil", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "dropper", "mediaget", "crack", "blacklist http", "ascii text", "nysp", "appdata", "jpeg image", "jfif standard", "file", "0xeae6b5", "function", "0x308d49", "x6a4", "push", "shift", "cookie", "slice", "path", "window", "error", "false", "hybrid", "crypto", "open", "blank", "template", "target", "trim", "write", "period", "touchmove", "click", "close", "body", "screen", "android", "canvas", "class", "span", "trident", "accept", "general", "local", "html", "unsafe", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "trojanx", "webshell", "iframe", "patcher", "driverpack", "union", "maltiverse", "blacklist https", "google", "noname057", "redlinestealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 884, "hostname": 1809, "FileHash-MD5": 635, "FileHash-SHA1": 321, "FileHash-SHA256": 2079, "CVE": 16, "URL": 6434 }, "indicator_count": 12178, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8d167202b93ee502ff8", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-12-06T17:01:05.291000", "created": "2023-12-06T17:01:05.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 12, "URL": 3839, "hostname": 1331, "FileHash-SHA256": 2976, "domain": 757, "FileHash-MD5": 250, "FileHash-SHA1": 80 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8bf416a1c314819ea53", "name": "Remote Access Related | APK attack targets independent artists", "description": "", "modified": "2023-12-06T17:00:47.888000", "created": "2023-12-06T17:00:47.888000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-SHA256": 2385, "hostname": 1054, "domain": 713, "URL": 3595, "FileHash-MD5": 1104, "FileHash-SHA1": 585, "FilePath": 1 }, "indicator_count": 9442, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709a0e8c20860fea88779a", "name": "https://surveyheart.com/form/619fb5dc68ff1721fc915f81", "description": "", "modified": "2023-12-06T15:58:06.293000", "created": "2023-12-06T15:58:06.293000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3624, "FileHash-SHA256": 1584, "domain": 871, "hostname": 1290, "FileHash-MD5": 20, "FileHash-SHA1": 20 }, "indicator_count": 7409, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709510e5b078aa5f09ca51", "name": "widevinecdm.dll seemingly problematic - supply chain holy god mother of fu.k", "description": "", "modified": "2023-12-06T15:36:48.409000", "created": "2023-12-06T15:36:48.409000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1447, "FileHash-MD5": 199, "FileHash-SHA1": 197, "domain": 267, "hostname": 871, "URL": 1930, "email": 2 }, "indicator_count": 4913, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570819e75a6b853df509785", "name": "http://projectorworld.ru/blog/770.htm", "description": "", "modified": "2023-12-06T14:13:50.518000", "created": "2023-12-06T14:13:50.518000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 447, "domain": 151, "URL": 991, "hostname": 334, "FileHash-MD5": 61, "FileHash-SHA1": 50, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 2038, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65298a6839a49a9aa732bcac", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "IC3 attached to links, apple , messaging, Skype.\nIC3 CN?\nChina? Unclear. Possibly intercepting IC3 complaints or linking to FBI to frame targets. Links show attack is Attorney orchestrated. \nSame group of Apple iTune links affected by Java.Trojan.GenericGB, Apple NetWorm Trojan.Buzus, Dropper.Mudrop, GenPack:Trojan.Generic, Worm.Mytob ,Phishing site, Anonymizer , netsky ,worm and other vulnerabilities over time. \u200eSign of the Times \u2013 Album par Dembiak Music \u2013 Apple Music Autonomous Systems: AS714 Apple Inc AS14061 Digital Ocean Inc AS8560 1 1 Internet SE Anonymizer: Proxy - FireHol malicious url, evasive, pua, worm, network, attack, bad actor, targeting", "modified": "2023-11-12T17:01:15.222000", "created": "2023-10-13T18:20:24.042000", "tags": [ "ssl certificate", "historical ssl", "referrer", "communicating", "unlocker", "legal entities", "using ip", "amazon aws", "apple ios", "passcode", "attack", "verified", "cyber criminal", "name verdict", "falcon sandbox", "united", "flag", "date", "name server", "markmonitor", "contains", "external", "new relic", "logo", "av detection", "hybrid", "general", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "proxy", "firehol", "malware", "heur", "cisco umbrella", "site", "safe site", "million", "alexa top", "malicious site", "malware site", "adware", "artemis", "iframe", "cleaner", "unsafe", "riskware", "opencandy", "downldr", "nircmd", "swrort", "presenoker", "wacatac", "phishing", "xtrat", "crack", "tiggre", "exploit", "agent", "filetour", "conduit", "acint", "systweak", "behav", "genkryptik", "softcnapp", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "xrat", "gamehack", "webtoolbar", "trojanspy", "maltiverse", "urls", "detection list", "blacklist https", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "phishing site", "anonymizer", "malicious host", "driverpack", "ransomware", "installcore", "suppobox", "patcher", "generic", "dropper", "fakealert", "quasar rat", "applicunwnt", "mimikatz", "team", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 250, "FileHash-SHA1": 80, "FileHash-SHA256": 2976, "domain": 757, "hostname": 1331, "URL": 3839, "CVE": 12 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "932 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f19f703614354a606c382", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-11-12T17:01:15.222000", "created": "2023-10-30T02:50:31.950000", "tags": [ "ssl certificate", "historical ssl", "referrer", "communicating", "unlocker", "legal entities", "using ip", "amazon aws", "apple ios", "passcode", "attack", "verified", "cyber criminal", "name verdict", "falcon sandbox", "united", "flag", "date", "name server", "markmonitor", "contains", "external", "new relic", "logo", "av detection", "hybrid", "general", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "proxy", "firehol", "malware", "heur", "cisco umbrella", "site", "safe site", "million", "alexa top", "malicious site", "malware site", "adware", "artemis", "iframe", "cleaner", "unsafe", "riskware", "opencandy", "downldr", "nircmd", "swrort", "presenoker", "wacatac", "phishing", "xtrat", "crack", "tiggre", "exploit", "agent", "filetour", "conduit", "acint", "systweak", "behav", "genkryptik", "softcnapp", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "xrat", "gamehack", "webtoolbar", "trojanspy", "maltiverse", "urls", "detection list", "blacklist https", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "phishing site", "anonymizer", "malicious host", "driverpack", "ransomware", "installcore", "suppobox", "patcher", "generic", "dropper", "fakealert", "quasar rat", "applicunwnt", "mimikatz", "team", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65298a6839a49a9aa732bcac", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 250, "FileHash-SHA1": 80, "FileHash-SHA256": 2976, "domain": 757, "hostname": 1331, "URL": 3839, "CVE": 12 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "932 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d23d050527b7aa07cfd", "name": "Remote Access Related | APK attack targets independent artists", "description": "", "modified": "2023-11-12T07:01:14.580000", "created": "2023-10-30T03:04:03.323000", "tags": [ "alexa top", "blacklist", "phishing", "million", "site", "cisco umbrella", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "whois record", "contacted", "ssl certificate", "communicating", "referrer", "historical ssl", "bundled", "resolutions", "contacted urls", "hackers install", "malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "united", "phishing site", "malware site", "malicious site", "heur", "anonymizer", "malicious host", "crack", "maltiverse", "driverpack", "ransomware", "opencandy", "artemis", "riskware", "installcore", "suppobox", "bank", "agent", "patcher", "generic", "t", "safe site", "iframe", "downldr", "presenoker", "exploit", "genkryptik", "dropper", "fakealert", "quasar rat", "xtrat", "softcnapp", "cleaner", "xrat", "applicunwnt", "mimikatz", "team", "azorult", "service", "runescape", "facebook", "download", "logo analysis", "size81b type", "mime", "scan10132023", "results", "multi scan", "analysis", "update", "view details", "na visit", "sansx22", "3px 3px", "indicator", "file", "general", "email address", "pattern match", "ck id", "t1114", "show technique", "mitre att", "ck matrix", "script", "antivirus", "svg scalable", "vector graphics", "span", "twitter", "hybrid", "ascii text", "appdata", "windows nt", "png image", "jpeg image", "jfif", "date", "flag", "markmonitor", "name server", "server", "enom", "whois privacy", "cloudflare", "domain address", "show", "osint", "f8f9fa", "eeeeee", "click", "unknown", "open", "error", "body", "hosts", "strings", "class", "critical", "meta", "scroll", "atom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": "6528fa2179cc1554d7f434c6", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 713, "FileHash-MD5": 1104, "FileHash-SHA1": 585, "FileHash-SHA256": 2385, "hostname": 1054, "URL": 3596, "CVE": 5, "FilePath": 1 }, "indicator_count": 9443, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "932 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6528fa2179cc1554d7f434c6", "name": "Remote Access Related | APK attack targets independent artists", "description": "Suppression, malware,\nPassword,Exploit/Shellcode *Defacement *Unsafe.AI_Score_ * FileRepMetagen [PUP]\nrevenge-rat,stealer,, Steganos Software GmbH Privacy Suite, Ransom_WannaCrypt.R002C0DJO20,\nWacatac.B, Trojan.HideLink, SuppoBox,Trojan.Downloader.Generic, TrojWare.JS.Obfuscated, Phish.HHH, Phishing_Netflix.EVT, Phishing.Microsoft,Trojan.AvsHepter, HTML:PhishingBank, Phishing.fz, Probably, Heur.HTMLUnescapeF, BehavesLike.HTML.SMSSendPhishing.S23, Gen:Variant.Zbot, BehavesLike.HTML.Faceliker", "modified": "2023-11-12T07:01:14.580000", "created": "2023-10-13T08:04:49.722000", "tags": [ "alexa top", "blacklist", "phishing", "million", "site", "cisco umbrella", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "whois record", "contacted", "ssl certificate", "communicating", "referrer", "historical ssl", "bundled", "resolutions", "contacted urls", "hackers install", "malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "united", "phishing site", "malware site", "malicious site", "heur", "anonymizer", "malicious host", "crack", "maltiverse", "driverpack", "ransomware", "opencandy", "artemis", "riskware", "installcore", "suppobox", "bank", "agent", "patcher", "generic", "t", "safe site", "iframe", "downldr", "presenoker", "exploit", "genkryptik", "dropper", "fakealert", "quasar rat", "xtrat", "softcnapp", "cleaner", "xrat", "applicunwnt", "mimikatz", "team", "azorult", "service", "runescape", "facebook", "download", "logo analysis", "size81b type", "mime", "scan10132023", "results", "multi scan", "analysis", "update", "view details", "na visit", "sansx22", "3px 3px", "indicator", "file", "general", "email address", "pattern match", "ck id", "t1114", "show technique", "mitre att", "ck matrix", "script", "antivirus", "svg scalable", "vector graphics", "span", "twitter", "hybrid", "ascii text", "appdata", "windows nt", "png image", "jpeg image", "jfif", "date", "flag", "markmonitor", "name server", "server", "enom", "whois privacy", "cloudflare", "domain address", "show", "osint", "f8f9fa", "eeeeee", "click", "unknown", "open", "error", "body", "hosts", "strings", "class", "critical", "meta", "scroll", "atom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 713, "FileHash-MD5": 1104, "FileHash-SHA1": 585, "FileHash-SHA256": 2385, "hostname": 1054, "URL": 3596, "CVE": 5, "FilePath": 1 }, "indicator_count": 9443, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "932 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6451ac22105fabd34fbdf476", "name": "https://surveyheart.com/form/619fb5dc68ff1721fc915f81", "description": "Albert Hill fake profile has 1 follower and 1 follow. the one follow has this url in the p rofile", "modified": "2023-05-03T00:34:42.633000", "created": "2023-05-03T00:34:42.633000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9", "g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3624, "FileHash-SHA256": 1584, "hostname": 1290, "domain": 871, "IPv4": 95, "FileHash-MD5": 20, "FileHash-SHA1": 20 }, "indicator_count": 7504, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1125 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63994429139dc965346ecad6", "name": "think of it like supply chain but using consumer infrastructure instead of corp data", "description": "[object Object", "modified": "2023-01-13T00:01:55.237000", "created": "2022-12-14T03:34:01.804000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "localappdata", "unicode", "hash seen", "size", "runtime process", "temp", "sha256", "sha1", "hybrid", "close", "click", "hosts", "ransomware", "general", "strings", "suspicious", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb/6398ed7852c7e131d0022430" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 576, "hostname": 282, "domain": 51, "FileHash-SHA256": 85, "FileHash-MD5": 51, "FileHash-SHA1": 50, "email": 2 }, "indicator_count": 1097, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6398fe16df6290d8fcac2f77", "name": "widevinecdm.dll seemingly problematic - supply chain holy god mother of fu.k", "description": "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "modified": "2023-01-12T21:02:22.235000", "created": "2022-12-13T22:35:02.021000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "threat level", "date", "sha256", "unicode", "size", "pcap", "pcap processing", "runtime process", "accept", "suspicious", "hybrid", "malicious", "close", "click", "hosts", "ransomware", "general", "local", "path", "mozilla", "strings", "localappdata", "temp", "prefetch8 ansi", "entropy", "win64", "disabled hash", "friendly", "mozi", "trident", "copy md5", "copy sha1", "copy sha256", "file", "type data", "download file", "db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "widevinecdm.dll", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c2" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 871, "URL": 1930, "domain": 267, "FileHash-SHA256": 1447, "FileHash-MD5": 199, "FileHash-SHA1": 197, "email": 2 }, "indicator_count": 4913, "is_author": false, "is_subscribing": null, "subscriber_count": 397, "modified_text": "1235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622d0de8dc376a8b02b4e32c", "name": "http://projectorworld.ru/blog/770.htm", "description": "", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T21:17:28.098000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "date", "sha256", "pcap", "pcap processing", "reference", "path", "accept", "suspicious", "malicious", "kcor", "nenet", "mumo", "hybrid", "close", "click", "hosts", "general", "local", "factory", "strings", "format" ], "references": [ "https://hybrid-analysis.com/sample/09e8201ad88a17ad98b0b47f25e9e60b54a15830420811927f1125463a5efab5?environmentId=100" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 334, "URL": 991, "FileHash-SHA256": 447, "domain": 151, "email": 2, "FileHash-MD5": 61, "FileHash-SHA1": 50, "SSLCertFingerprint": 2 }, "indicator_count": 2038, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1512 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "https://hybrid-analysis.com/sample/09e8201ad88a17ad98b0b47f25e9e60b54a15830420811927f1125463a5efab5?environmentId=100", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9.json", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.virustotal.com/graph/g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9", "Source : Binary File ATT&CK ID T1566.002", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb/6398ed7852c7e131d0022430", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared", "Detected Non-Google domain serving Google homepage details", "https://www.teslarati.com/spacex", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cl0p", "Win.malware.jaik-9940406-0", "Trojanspy", "T", "Alf:jasyp:trojan:win32/genmaldown!atmn", "Cyber criminal", "Maltiverse", "Verified", "Gc", "Gamehack", "Trojan:win32/zombie.a", "Et", "Webtoolbar", "Ms defender\ttrojan:win32/qbot.kvd!mtb", "Blacknet", "Win.malware.snojan-6775202-0", "Worm:win32/mofksys.rnd!mtb" ], "industries": [], "unique_indicators": 77085 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/yandex.kg", "whois": "http://whois.domaintools.com/yandex.kg", "domain": "yandex.kg", "hostname": "social.yandex.kg" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c5dcd42da951f32ee24e0f", "name": "https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashesrs", "description": "", "modified": "2024-08-21T12:25:56.328000", "created": "2024-08-21T12:25:56.328000", "tags": [ "cins active", "poor reputation", "host", "threats et", "ip tcp", "detection list", "ip address", "blacklist", "macedonia", "former yugoslav", "site", "cisco umbrella", "alexa top", "million", "alexa", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "paypal", "team phishing", "blacknet rat", "loki password", "stealer", "malicious url", "malicious site", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "blacknet", "site top", "million alexa", "safe site", "malware", "genpack", "deepscan", "cobalt strike", "malicious", "zbot", "memscan", "cl0p", "cyber threat", "heur", "engineering", "united", "covid19", "malicious host", "team", "virut", "nymaim", "pony", "ransomware", "bradesco", "opencandy", "ramnit", "adload", "simda", "zeus", "pykspa", "riskware", "generic", "artemis", "downldr", "binder", "sutra", "steam", "asyncrat", "revengerat", "downloader", "exploit", "emailworm", "agent", "tinba", "maltiverse safe", "generic malware", "phishing site", "outbrowse", "suppobox", "vawtrak", "solimba", "wacatac", "msil", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "dropper", "mediaget", "crack", "blacklist http", "ascii text", "nysp", "appdata", "jpeg image", "jfif standard", "file", "0xeae6b5", "function", "0x308d49", "x6a4", "push", "shift", "cookie", "slice", "path", "window", "error", "false", "hybrid", "crypto", "open", "blank", "template", "target", "trim", "write", "period", "touchmove", "click", "close", "body", "screen", "android", "canvas", "class", "span", "trident", "accept", "general", "local", "html", "unsafe", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "trojanx", "webshell", "iframe", "patcher", "driverpack", "union", "maltiverse", "blacklist https", "google", "noname057", "redlinestealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "655d0ec7b7cb12c66cac457d", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 884, "hostname": 1809, "FileHash-MD5": 635, "FileHash-SHA1": 321, "FileHash-SHA256": 2079, "CVE": 16, "URL": 6434 }, "indicator_count": 12178, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "649 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655d0ec7b7cb12c66cac457d", "name": "https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip", "description": "Exploit\nContains escaped byte string (often part of obfuscated shellcode), Malicious\nhttps://www.profitabledisplaycontent.com/watch.375255570190.js, Malvertizing a true crime, child pornographer.\n\nSource: https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip\n\nResource: https://www.hybrid-analysis.com/sample/f0233084bd810eb266cd29a879dc58d84c2a85032ba58b4b50d5643e7a41a144/655cf15b9f12303f990942e9", "modified": "2023-12-21T19:03:27.243000", "created": "2023-11-21T20:10:47.792000", "tags": [ "cins active", "poor reputation", "host", "threats et", "ip tcp", "detection list", "ip address", "blacklist", "macedonia", "former yugoslav", "site", "cisco umbrella", "alexa top", "million", "alexa", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "paypal", "team phishing", "blacknet rat", "loki password", "stealer", "malicious url", "malicious site", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "blacknet", "site top", "million alexa", "safe site", "malware", "genpack", "deepscan", "cobalt strike", "malicious", "zbot", "memscan", "cl0p", "cyber threat", "heur", "engineering", "united", "covid19", "malicious host", "team", "virut", "nymaim", "pony", "ransomware", "bradesco", "opencandy", "ramnit", "adload", "simda", "zeus", "pykspa", "riskware", "generic", "artemis", "downldr", "binder", "sutra", "steam", "asyncrat", "revengerat", "downloader", "exploit", "emailworm", "agent", "tinba", "maltiverse safe", "generic malware", "phishing site", "outbrowse", "suppobox", "vawtrak", "solimba", "wacatac", "msil", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "dropper", "mediaget", "crack", "blacklist http", "ascii text", "nysp", "appdata", "jpeg image", "jfif standard", "file", "0xeae6b5", "function", "0x308d49", "x6a4", "push", "shift", "cookie", "slice", "path", "window", "error", "false", "hybrid", "crypto", "open", "blank", "template", "target", "trim", "write", "period", "touchmove", "click", "close", "body", "screen", "android", "canvas", "class", "span", "trident", "accept", "general", "local", "html", "unsafe", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "trojanx", "webshell", "iframe", "patcher", "driverpack", "union", "maltiverse", "blacklist https", "google", "noname057", "redlinestealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 884, "hostname": 1809, "FileHash-MD5": 635, "FileHash-SHA1": 321, "FileHash-SHA256": 2079, "CVE": 16, "URL": 6434 }, "indicator_count": 12178, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655d0f94ad4d7cdc5e3f0a98", "name": "BlackNET", "description": "Exploit\nContains escaped byte string (often part of obfuscated shellcode), Malicious\nhttps://www.profitabledisplaycontent.com/watch.375255570190.js, Malvertizing a true crime, child pornographer.\n\nSource: https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip\n\nResource: https://www.hybrid-analysis.com/sample/f0233084bd810eb266cd29a879dc58d84c2a85032ba58b4b50d5643e7a41a144/655cf15b9f12303f990942e9", "modified": "2023-12-21T19:03:27.243000", "created": "2023-11-21T20:14:12.454000", "tags": [ "cins active", "poor reputation", "host", "threats et", "ip tcp", "detection list", "ip address", "blacklist", "macedonia", "former yugoslav", "site", "cisco umbrella", "alexa top", "million", "alexa", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "paypal", "team phishing", "blacknet rat", "loki password", "stealer", "malicious url", "malicious site", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "blacknet", "site top", "million alexa", "safe site", "malware", "genpack", "deepscan", "cobalt strike", "malicious", "zbot", "memscan", "cl0p", "cyber threat", "heur", "engineering", "united", "covid19", "malicious host", "team", "virut", "nymaim", "pony", "ransomware", "bradesco", "opencandy", "ramnit", "adload", "simda", "zeus", "pykspa", "riskware", "generic", "artemis", "downldr", "binder", "sutra", "steam", "asyncrat", "revengerat", "downloader", "exploit", "emailworm", "agent", "tinba", "maltiverse safe", "generic malware", "phishing site", "outbrowse", "suppobox", "vawtrak", "solimba", "wacatac", "msil", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "dropper", "mediaget", "crack", "blacklist http", "ascii text", "nysp", "appdata", "jpeg image", "jfif standard", "file", "0xeae6b5", "function", "0x308d49", "x6a4", "push", "shift", "cookie", "slice", "path", "window", "error", "false", "hybrid", "crypto", "open", "blank", "template", "target", "trim", "write", "period", "touchmove", "click", "close", "body", "screen", "android", "canvas", "class", "span", "trident", "accept", "general", "local", "html", "unsafe", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "trojanx", "webshell", "iframe", "patcher", "driverpack", "union", "maltiverse", "blacklist https", "google", "noname057", "redlinestealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 884, "hostname": 1809, "FileHash-MD5": 635, "FileHash-SHA1": 321, "FileHash-SHA256": 2079, "CVE": 16, "URL": 6434 }, "indicator_count": 12178, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655d0edbb8c22bcb4e5969b8", "name": "https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip", "description": "Exploit\nContains escaped byte string (often part of obfuscated shellcode), Malicious\nhttps://www.profitabledisplaycontent.com/watch.375255570190.js, Malvertizing a true crime, child pornographer.\n\nSource: https://mypornwap.fun/downloads/5/search/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears-gzip\n\nResource: https://www.hybrid-analysis.com/sample/f0233084bd810eb266cd29a879dc58d84c2a85032ba58b4b50d5643e7a41a144/655cf15b9f12303f990942e9", "modified": "2023-12-21T19:03:27.243000", "created": "2023-11-21T20:11:07.064000", "tags": [ "cins active", "poor reputation", "host", "threats et", "ip tcp", "detection list", "ip address", "blacklist", "macedonia", "former yugoslav", "site", "cisco umbrella", "alexa top", "million", "alexa", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "paypal", "team phishing", "blacknet rat", "loki password", "stealer", "malicious url", "malicious site", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "blacknet", "site top", "million alexa", "safe site", "malware", "genpack", "deepscan", "cobalt strike", "malicious", "zbot", "memscan", "cl0p", "cyber threat", "heur", "engineering", "united", "covid19", "malicious host", "team", "virut", "nymaim", "pony", "ransomware", "bradesco", "opencandy", "ramnit", "adload", "simda", "zeus", "pykspa", "riskware", "generic", "artemis", "downldr", "binder", "sutra", "steam", "asyncrat", "revengerat", "downloader", "exploit", "emailworm", "agent", "tinba", "maltiverse safe", "generic malware", "phishing site", "outbrowse", "suppobox", "vawtrak", "solimba", "wacatac", "msil", "outbreak", "installcore", "acint", "conduit", "installpack", "iobit", "dropper", "mediaget", "crack", "blacklist http", "ascii text", "nysp", "appdata", "jpeg image", "jfif standard", "file", "0xeae6b5", "function", "0x308d49", "x6a4", "push", "shift", "cookie", "slice", "path", "window", "error", "false", "hybrid", "crypto", "open", "blank", "template", "target", "trim", "write", "period", "touchmove", "click", "close", "body", "screen", "android", "canvas", "class", "span", "trident", "accept", "general", "local", "html", "unsafe", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "trojanx", "webshell", "iframe", "patcher", "driverpack", "union", "maltiverse", "blacklist https", "google", "noname057", "redlinestealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 884, "hostname": 1809, "FileHash-MD5": 635, "FileHash-SHA1": 321, "FileHash-SHA256": 2079, "CVE": 16, "URL": 6434 }, "indicator_count": 12178, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8d167202b93ee502ff8", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-12-06T17:01:05.291000", "created": "2023-12-06T17:01:05.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 12, "URL": 3839, "hostname": 1331, "FileHash-SHA256": 2976, "domain": 757, "FileHash-MD5": 250, "FileHash-SHA1": 80 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8bf416a1c314819ea53", "name": "Remote Access Related | APK attack targets independent artists", "description": "", "modified": "2023-12-06T17:00:47.888000", "created": "2023-12-06T17:00:47.888000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-SHA256": 2385, "hostname": 1054, "domain": 713, "URL": 3595, "FileHash-MD5": 1104, "FileHash-SHA1": 585, "FilePath": 1 }, "indicator_count": 9442, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709a0e8c20860fea88779a", "name": "https://surveyheart.com/form/619fb5dc68ff1721fc915f81", "description": "", "modified": "2023-12-06T15:58:06.293000", "created": "2023-12-06T15:58:06.293000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3624, "FileHash-SHA256": 1584, "domain": 871, "hostname": 1290, "FileHash-MD5": 20, "FileHash-SHA1": 20 }, "indicator_count": 7409, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://social.yandex.kg", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://social.yandex.kg", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780346258.8889544 }