{ "type": "URL", "indicator": "https://sp.xxtgg.bar", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sp.xxtgg.bar", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2928590139, "indicator": "https://sp.xxtgg.bar", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 26, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9cad6633206ba1204cf8f", "name": "clone school board ", "description": "", "modified": "2026-03-06T11:26:19.137000", "created": "2026-03-05T18:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9cad78745fdea3001aec9", "name": "clone school board ", "description": "", "modified": "2026-03-06T05:11:24.929000", "created": "2026-03-05T18:26:31.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3b07ffb71116f2db7fa", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:56.355000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3afa974b93284d6bac1", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:55.712000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8f1e5db08cf140cdea23", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-03T19:08:14.934000", "created": "2024-02-03T19:08:14.934000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65b85d301a253bd67048cbba", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "805 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85d301a253bd67048cbba", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-30T02:21:36.334000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65a2e3ebbb1bdfd541af3e91", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a2e3ebbb1bdfd541af3e91", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-13T19:26:35.621000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "6593c7224a0e8926c28f73d5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6593c7224a0e8926c28f73d5", "name": "TinyNote | Douglas County, Colorado Sheriff's Office?", "description": "Sent to me by D*n*i* M. P*r**h. I can't comprehend. Looks like framing and cyber tracking pf a SA victim by a sheriff best friend of reporting doctor whose wife is Douglas Co coroner. Reporting MD threatened and warned Brashears of what would happen then warned SA PT by relating issues. Targets and associated as severe risk.", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-02T08:19:45.693000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a161f0681f4ff3d67feb", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:29:21.844000", "created": "2023-12-06T16:29:21.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a145926a5676de0e2a1a", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:28:53.979000", "created": "2023-12-06T16:28:53.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0bc9f2837fed9426cdd", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-12-06T16:26:36.394000", "created": "2023-12-06T16:26:36.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570810b6b17147085608503", "name": "Apple Music.app", "description": "", "modified": "2023-12-06T14:11:23.015000", "created": "2023-12-06T14:11:23.015000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e9819da1f2e8e26e78e", "name": "recallsfschoolboard.org", "description": "", "modified": "2023-12-06T14:00:56.019000", "created": "2023-12-06T14:00:56.019000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 24, "domain": 2214, "URL": 9040, "FileHash-MD5": 280, "FileHash-SHA256": 3044, "hostname": 2973, "FileHash-SHA1": 327, "SSLCertFingerprint": 6, "CIDR": 6, "email": 64 }, "indicator_count": 17978, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e0e3c8fc67d6f4a474e", "name": "xred.mooo.com", "description": "", "modified": "2023-12-06T13:58:38.360000", "created": "2023-12-06T13:58:38.360000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 301, "hostname": 265, "URL": 482, "domain": 95, "FileHash-MD5": 8, "FileHash-SHA1": 2 }, "indicator_count": 1153, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707b9630308cb99a817277", "name": "Pool's Closed", "description": "", "modified": "2023-12-06T13:48:06.514000", "created": "2023-12-06T13:48:06.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7febe244cb68794edc480", "name": "Dropbox exploit via httrack-3.49.2.exe (malicious) trojan.darkkomet/zorexRAT MALWARE", "description": "httrack-3.49.2.exe\ntrojan.darkkomet/zorex\nRuleset:\n ET POLICY Dropbox.com Offsite File Backup in Use\nET HUNTING Suspicious User-Agent Containing .exe\nET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com\nUnique rule identifier:\nThis rule belongs to a private collection.", "modified": "2023-09-24T00:00:49.866000", "created": "2023-08-25T01:07:10.740000", "tags": [ "delphi", "vhash", "authentihash", "imphash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "intel", "serial number", "valid from", "valid", "time stamping", "pointing device", "symantec time", "stamping", "name symantec", "signer", "from valid", "chi2", "entropy", "type rtstring", "type rtbitmap", "type rtrcdata", "type rtcursor", "default entropy", "type rticon", "dos exe", "functionality", "verqueryvaluea", "couninitialize", "virtual address", "virtual size", "raw size", "chi2 1", "sections", "md5 code", "data" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 73, "FileHash-MD5": 16, "FileHash-SHA1": 14, "domain": 18, "hostname": 43, "URL": 70 }, "indicator_count": 234, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "938 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f37719db054ccde25aa9df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:37.269000", "created": "2023-09-02T17:55:37.269000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f3771616d9a9891947e4df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:34.095000", "created": "2023-09-02T17:55:34.095000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7ab22bbbb24b60b0ede98", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-08-24T19:10:26.385000", "created": "2023-08-24T19:10:26.385000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6228c8698878b924d3b309b6", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "968 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6228c8698878b924d3b309b6", "name": "Apple Music.app", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T15:31:53.378000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1472 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6211397913dcdae410959042", "name": "recallsfschoolboard.org", "description": "garry tan has no hand", "modified": "2022-03-26T19:02:17.827000", "created": "2022-02-19T18:39:53.002000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2973, "URL": 9040, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17978, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6209766a002a61265d53ce47", "name": "xred.mooo.com", "description": "", "modified": "2022-03-15T00:00:20.682000", "created": "2022-02-13T21:21:45.995000", "tags": [ "whois", "ssl certificate", "whois record", "file size", "win32 dll", "name", "win32 exe", "kb file", "file type", "kb pe", "detections file", "akamai", "ltd dba", "com laude", "enom", "chengdu west", "chengdu", "ascii text", "neutral", "data rtbitmap", "data rtcursor", "lotus", "default", "trid win32", "data rtrcdata", "intel", "delphi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 265, "URL": 482, "FileHash-SHA256": 301, "domain": 95, "FileHash-MD5": 8, "FileHash-SHA1": 2 }, "indicator_count": 1153, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1496 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "ftpusers", "collective.ldif", "cupsd.conf.O", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "audit_warn", "httpd.conf", "httpd-vhosts.conf", "csh.cshrc", "rc.netboot", "main.cf", "com.apple.contacts.ContactsAutocomplete", "dyngroup.schema", "master.cf.proto", "microsoft.std.schema", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "com.apple.xscertd.conf", "nis.ldif", "com.apple.performance", "apple.schema", "httpd-userdir.conf", "protocols", "duaconf.ldif", "java.schema", "netinfo.schema", "racoon.conf", "apple-identifiant.info", "bounce.cf.default", "man.conf", "com.apple.networking.boringssl", "httpd-info.conf", "audit_control", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "httpd-languages.conf", "cosine.ldif", "deadlineday.twitter.com", "com.apple.login.guest", "com.apple.coreduetd", "fmserver.schema", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "php7.conf", "com.apple.eventmonitor", "com.apple.mkb", "ntp_opendirectory.conf", "joebiden.com", "corba.ldif", "familyhandyman.com", "csh.login", "files.conf", "networks", "profile", "rmtab", "0-courier.push.apple.com", "cups-files.conf", "Pool Closed", "rtadvd.conf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "cs001.informativeremail-apple.zoom.com.cn", "generic", "TLS_LICENSE", "com.apple.MessageTracer", "hosts", "com.apple.authd", "find.codes", "ldap.conf", "rc.common", "httpd-default.conf", "rpc", "core.ldif", "microsoft.schema", "message.htm.com", "com.apple.slapconfig.conf", "dyngroup.ldif", "master.cf.default", "newsyslog.conf", "snmp.conf.default", "com.apple.screensharing.agent.launchd", "README", "https://www.anyxxxtube.net/media/favicon/apple", "nfs.conf", "pmi.schema", "makedefs.out", "cupsd.conf.default", "httpd-autoindex.conf", "relocated", "collective.schema", "openldap.ldif", "nis.schema", "com.apple.install", "header_checks", "gettytab", "httpd-mpm.conf", "group", "ntp.conf", "locate.rc", "openldap.schema", "ppolicy.schema", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "hosts.equiv", "httpd-ssl.conf", "krb5-kdc.schema", "dragonforce.io", "69.197.153.180", "httpd-multilang-errordoc.conf", "ppolicy.ldif", "pmi.ldif", "duaconf.schema", "transport", "audit_event", "http://watchhers.net/index.php", "main.cf.proto", "misc.ldif", "audit_class", "auto_master", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "mpm.conf", "aliases", "java.ldif", "kern_loader.conf", "master.cf", "quackbot? Qbot qakbot positive", "nr-data.net", "AppleOpenLDAP.plist", "magic", "ldap.conf.default", "notify.conf", "httpd-manual.conf", "auto_home", "canonical", "cupsd.conf", "com.apple.mkb.internal", "mime.types", "com.apple.iokit.power", "com.apple.slapd.conf", "Pool's Closed", "bashrc_Apple_Terminal", "custom_header_checks", "access", "irbrc", "afpovertcp.cfg", "manpaths", "asl.conf", "cosine.schema", "com.apple.mail", "cups-files.conf.default", "https://twitter.com/sheriffspurlock?lang=en", "autofs.conf", "apple_auxillary.schema", "mail.rc", "LICENSE", "corba.schema", "inetorgperson.ldif", "wifi.conf", "This is all too strange! Corruption or Spoofed?", "virtual", "inetorgperson.schema", "com.apple.cdscheduler", "core.schema", "misc.schema", "main.cf.default", "proxy-html.conf", "httpd-dav.conf", "bashrc", "samba.schema", "postfix-files", "0-i-0.xyz", "csh.logout", "snmp.conf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Comspec", "Allowoverride", "Alf:hstr:trojanspy:msil/keylogger", "Virus:dos/cyberwar_5300", "Trojandownloader:win32/bridge", "Qbot", "Ransomexx", "Hacktool", "Tel:trojanspy:win32/kedirat", "Pegasus for ios - s0289", "Cobalt strike - s0154", "Pegasus for android - s0316", "Alf:heraklezeval:backdoor:linux/tsunami", "Malaysia, truly asia", "Alf:heraklezeval:backdoorlinux/mirai", "Ultra vnc", "Quackbot", "9002 rat", "Pegasus - mob-s0005", "Virus:dos/psmpc_386", "Directoryindex", "Alf:heraklezeval:backdoor:linux/mirai", "Tinynote", "Trojanspy:ios/xcodeghost", "Backdoor:win32/espion" ], "industries": [ "Hospitality", "Ngo", "Telecommunications", "Ad fraud", "Technology", "Semiconductor", "Energy", "Lgbtq+ activists", "Human subjects", "Media" ], "unique_indicators": 115801 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/xxtgg.bar", "whois": "http://whois.domaintools.com/xxtgg.bar", "domain": "xxtgg.bar", "hostname": "sp.xxtgg.bar" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 26, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9cad6633206ba1204cf8f", "name": "clone school board ", "description": "", "modified": "2026-03-06T11:26:19.137000", "created": "2026-03-05T18:26:30.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a9cad78745fdea3001aec9", "name": "clone school board ", "description": "", "modified": "2026-03-06T05:11:24.929000", "created": "2026-03-05T18:26:31.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6211397913dcdae410959042", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2975, "URL": 9041, "domain": 2214, "FileHash-SHA256": 3044, "FileHash-MD5": 280, "FileHash-SHA1": 327, "CIDR": 6, "email": 64, "CVE": 24, "SSLCertFingerprint": 6 }, "indicator_count": 17981, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3b07ffb71116f2db7fa", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:56.355000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "671fd3afa974b93284d6bac1", "name": "dragonforce.io", "description": "Throw your MacBook in the trash, where the hackers belong.", "modified": "2024-11-27T17:01:13.516000", "created": "2024-10-28T18:10:55.712000", "tags": [ "copyright", "apple computer", "tcpip", "supported", "quantum", "postfix", "mail", "aliases", "postfix version", "restrict", "wietse venema", "sample", "note", "person", "basic system", "general", "column", "tiff", "linus walleij", "triad", "greg roelofs", "html", "daniel quinlan", "aiff", "music", "wave", "formats", "magic", "form", "crunch", "freeze", "maker", "format", "postscript", "this", "ifmodule", "include", "virtualhost", "directory", "require", "serverroot", "listen", "ifdefine", "loadmodule", "errordocument", "apache", "win32", "example", "main", "webdav", "internet", "mime type", "xlm xla", "xlc xlt", "xlam", "xlsb", "xlsm", "xltm", "z7 z8", "xhtml xht", "addiconbytype", "adddescription", "fancyindexed", "gzip", "indexignore", "indexes", "versionsort", "fancyindexing", "alias icons", "full", "minrate500", "keepalive", "prod", "email", "apache http", "server", "timeout", "number", "minimal", "major", "addlanguage", "addcharset", "defaultlanguage", "fallback", "polish", "addlanguage pl", "catalan", "english", "greekmodern", "korean", "turkish", "browsermatch", "davlockdb", "requireany", "usergroup", "alias", "authtype digest", "davupload admin", "authuserfile", "errorhttp", "http", "yourincludepath", "apache version", "serversignature", "alias error", "addhandler", "threadsperchild", "startservers", "minsparethreads", "maxsparethreads", "maximum number", "pidfile", "mpms", "threadstacksize", "extendedstatus", "change", "sethandler", "require host", "get information", "allow server", "allow", "userdir sites", "control access", "userdir", "sslsessioncache", "configure", "ocsp stapling", "ssl engine", "sslrequire", "ssltls standard", "prng", "sslrandomseed", "openssl", "high", "first", "refer", "servername", "virtualhost 80", "serveradmin", "documentroot", "errorlog", "customlog", "hosts", "please", "almost", "loadfile c", "proxyhtmllinks", "ascii", "unicode", "windows", "must", "location", "w3c html", "directoryindex", "allowoverride", "manual", "provide access", "options indexes", "files", "removetype tr", "traditionally", "addlanguage da", "addtype", "a facility", "claim", "file", "level error", "sender", "store", "level", "facility", "category", "time", "host", "threadid", "function", "line", "message", "guest", "access", "kernel", "usereventagent", "springboard", "message sep", "message mc", "message secure", "ca message", "multitouchhid", "use directory", "home autohome", "automounter map", "get home", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "level info", "broadcast", "ignore", "rules", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "terminal", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "limit", "order deny", "authtype", "default require", "require user", "owner", "authkey", "lpadmin", "order", "system", "local", "cups scheduler", "list", "synconclose no", "default user", "user lp", "group lp", "group value", "restrict access", "cups", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "host database", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "readline", "error", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "status mailfrom", "returnpath via", "open directory", "jabber", "group database", "cyrus", "calendar", "dovecot", "postfix scsd", "networkd", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "flags", "bcgjnuwz", "d0 j", "ldap defaults", "base dcexample", "uri ldap", "sizelimit", "timelimit", "deref", "syntax", "kerberos", "name", "corba object", "desc", "schema", "openldap", "redistribution", "public license", "license", "collective", "shall not", "ldap", "co llective", "equality", "sup name", "structural must", "singlevalue", "auxiliary must", "auxiliary may", "guid", "desc account", "desc mount", "desc password", "service", "info", "tiger", "multi", "d esc", "rfc1274", "structural may", "quality", "substr caseigno", "corba", "ldap directory", "reserved", "ldap server", "dynamic group", "netscape", "not recommended", "for production", "attribute", "name managedby", "name leaf", "duas", "internetdrafts", "coast", "project", "java object", "java class", "de sc", "pkcs", "inetorgperson", "rfc2798", "signeddata", "smime", "openldap note", "hold", "code", "java", "jndi reference", "jndi", "with syntax", "definitions", "kerberos v", "kdc schema", "oid base", "size", "subclass of", "may contain", "objectclass", "must contain", "matches for", "obsolete", "des c", "abstract must", "sup person", "microsoft", "advanced server", "schema mapping", "netinfo", "config", "groups", "netinfo preset", "crypt", "netinfo rpcs", "rpcs number", "oncrpcnumber", "ipnetmasknumber", "assistant", "may description", "rfc2307", "rfc2252", "match syntax", "openldaproot", "openldaporg", "openldapou", "equal ity", "kind", "rule", "attcertpath", "rolesyntax", "ldif", "blank", "ldap entry", "spaces", "cosine pilot", "directory forum", "password policy", "false", "april", "auxiliary", "passwd", "account", "desc pool", "unix", "structural", "sup rpcentry", "sup container", "abstract may", "sup ipsecbase", "Chelsea Manning Help Me", "Aishah Siti Lazim", "Aishah Lazim", "194 Green Street", "Human Subjects", "cybernetic", "RNA molecule", "matches", "postfix smtp", "domain", "ipv6 host", "reject", "reply", "prior", "bugs", "reject empty", "canonical", "tables", "post", "replace user", "address", "generic", "smtp", "isp mail", "mail delivery", "charset", "report", "postfix dsn", "mail returned", "only", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "pass", "write", "date", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "path", "beware", "class", "uucp", "shell", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "update", "usrsbin", "file format", "no group", "daemondirectory", "relocated", "matches user", "synopsis", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "virtual", "virtual alias", "redirect mail", "deliver mail", "transport", "description", "result format", "bashno", "r etcbashrc", "protocol", "ipv6", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "kame", "id key", "specification", "auto exit", "vpn socket", "networkup", "term", "devnull", "common setup", "set command", "sunnet manager", "rpcsrc", "netlicense", "apple", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "auditing", "solaris", "openbsm", "secsrvr", "allocation", "bsm event", "solaris kernel", "openbsm kernel", "solaris auemac", "solaris umount", "integer", "array", "data", "state", "opendirectoryd", "ipv4", "plist", "dict", "session", "commcenter", "airport", "cfbasichash", "thread", "cfrunloop", "cfrunloopmode", "usrbinsudo", "usrsbinnetbiosd", "removed" ], "references": [ "afpovertcp.cfg", "aliases", "magic", "httpd.conf", "mime.types", "httpd-autoindex.conf", "httpd-default.conf", "httpd-languages.conf", "httpd-dav.conf", "httpd-multilang-errordoc.conf", "httpd-mpm.conf", "httpd-info.conf", "httpd-userdir.conf", "httpd-ssl.conf", "httpd-vhosts.conf", "proxy-html.conf", "httpd-manual.conf", "php7.conf", "mpm.conf", "com.apple.eventmonitor", "com.apple.authd", "com.apple.cdscheduler", "com.apple.contacts.ContactsAutocomplete", "com.apple.install", "com.apple.coreduetd", "com.apple.login.guest", "com.apple.mkb", "com.apple.mail", "com.apple.MessageTracer", "com.apple.mkb.internal", "com.apple.iokit.power", "com.apple.performance", "com.apple.networking.boringssl", "auto_master", "auto_home", "bashrc", "asl.conf", "autofs.conf", "bashrc_Apple_Terminal", "csh.cshrc", "csh.logout", "com.apple.screensharing.agent.launchd", "csh.login", "cupsd.conf", "cups-files.conf.default", "cupsd.conf.O", "cupsd.conf.default", "cups-files.conf", "snmp.conf", "snmp.conf.default", "dragonforce.io", "find.codes", "ftpusers", "hosts.equiv", "gettytab", "hosts", "kern_loader.conf", "irbrc", "locate.rc", "mail.rc", "group", "man.conf", "networks", "manpaths", "newsyslog.conf", "com.apple.slapconfig.conf", "files.conf", "com.apple.xscertd.conf", "wifi.conf", "com.apple.slapd.conf", "nfs.conf", "ntp.conf", "notify.conf", "ntp_opendirectory.conf", "AppleOpenLDAP.plist", "ldap.conf", "ldap.conf.default", "apple_auxillary.schema", "corba.ldif", "collective.schema", "collective.ldif", "core.ldif", "apple.schema", "cosine.ldif", "core.schema", "corba.schema", "duaconf.ldif", "dyngroup.ldif", "fmserver.schema", "duaconf.schema", "java.ldif", "inetorgperson.schema", "inetorgperson.ldif", "java.schema", "krb5-kdc.schema", "cosine.schema", "misc.ldif", "microsoft.std.schema", "misc.schema", "netinfo.schema", "nis.schema", "nis.ldif", "openldap.schema", "dyngroup.schema", "pmi.ldif", "ppolicy.ldif", "pmi.schema", "openldap.ldif", "README", "ppolicy.schema", "samba.schema", "microsoft.schema", "access", "custom_header_checks", "canonical", "generic", "bounce.cf.default", "header_checks", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "master.cf", "main.cf.proto", "master.cf.proto", "postfix-files", "relocated", "TLS_LICENSE", "virtual", "main.cf.default", "transport", "profile", "protocols", "racoon.conf", "rmtab", "rc.common", "rpc", "rtadvd.conf", "rc.netboot", "audit_class", "audit_warn", "audit_event", "audit_control" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Bahrain", "Israel", "India" ], "malware_families": [ { "id": "DirectoryIndex", "display_name": "DirectoryIndex", "target": null }, { "id": "AllowOverride", "display_name": "AllowOverride", "target": null }, { "id": "Malaysia, Truly Asia", "display_name": "Malaysia, Truly Asia", "target": null }, { "id": "9002 RAT", "display_name": "9002 RAT", "target": null }, { "id": "Virus:DOS/PSMPC_386", "display_name": "Virus:DOS/PSMPC_386", "target": "/malware/Virus:DOS/PSMPC_386" }, { "id": "TEL:TrojanSpy:Win32/KediRat", "display_name": "TEL:TrojanSpy:Win32/KediRat", "target": null }, { "id": "TrojanSpy:iOS/XcodeGhost", "display_name": "TrojanSpy:iOS/XcodeGhost", "target": "/malware/TrojanSpy:iOS/XcodeGhost" }, { "id": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "display_name": "ALF:HSTR:TrojanSpy:MSIL/KeyLogger", "target": null }, { "id": "Ultra VNC", "display_name": "Ultra VNC", "target": null }, { "id": "TrojanDownloader:Win32/Bridge", "display_name": "TrojanDownloader:Win32/Bridge", "target": "/malware/TrojanDownloader:Win32/Bridge" }, { "id": "Virus:DOS/Cyberwar_5300", "display_name": "Virus:DOS/Cyberwar_5300", "target": "/malware/Virus:DOS/Cyberwar_5300" }, { "id": "Backdoor:Win32/Espion", "display_name": "Backdoor:Win32/Espion", "target": "/malware/Backdoor:Win32/Espion" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:BackdoorLinux/Mirai", "display_name": "ALF:HeraklezEval:BackdoorLinux/Mirai", "target": null }, { "id": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "display_name": "ALF:HeraklezEval:Backdoor:Linux/Tsunami", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1001.002", "name": "Steganography", "display_name": "T1001.002 - Steganography" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1026", "name": "Multiband Communication", "display_name": "T1026 - Multiband Communication" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Media", "LGBTQ+ Activists", "Technology", "Telecommunications", "Hospitality", "Energy", "NGO", "Semiconductor", "Human Subjects" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 669, "URL": 1976, "email": 21, "hostname": 1198, "FileHash-SHA256": 277, "CVE": 2, "CIDR": 3 }, "indicator_count": 4146, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be8f1e5db08cf140cdea23", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-03T19:08:14.934000", "created": "2024-02-03T19:08:14.934000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65b85d301a253bd67048cbba", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "805 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85d301a253bd67048cbba", "name": "TinyNote | Douglas County, Co Sheriff's Office | Pegasus Attacks SA victim ", "description": "", "modified": "2024-02-01T07:00:20.140000", "created": "2024-01-30T02:21:36.334000", "tags": [ "june", "whois record", "ssl certificate", "threat roundup", "september", "roundup", "problems", "threat network", "drive", "march", "february", "startpage", "installer", "cobalt strike", "cobaltstrike", "whois whois", "referrer", "malicious", "quackbot", "tinynote", "contacted", "hacktool", "ransomexx", "name verdict", "falcon sandbox", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "getprocaddress", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "observed email", "united", "null", "path", "date", "twitter", "factory", "hybrid", "general", "model", "comspec", "click", "strings", "tsara brashears", "corruption", "sherrif", "douglas county", "framing", "hacking", "tracking", "infostealer", "porn", "critical", "danger", "spurlock" ], "references": [ "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net", "https://ww11.0123movie.net/icons/apple-touch-icon.png", "https://ww9.0123movie.net/icons/apple-touch-icon.png", "apple-identifiant.info", "cs001.informativeremail-apple.zoom.com.cn", "0-i-0.xyz", "0-courier.push.apple.com", "https://www.anyxxxtube.net/media/favicon/apple", "message.htm.com", "joebiden.com", "familyhandyman.com", "deadlineday.twitter.com", "https://autodiscover.socket.net/Autodiscover/DEADJOE", "http://watchhers.net/index.php", "69.197.153.180", "This is all too strange! Corruption or Spoofed?", "quackbot? Qbot qakbot positive" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TinyNote", "display_name": "TinyNote", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QuackBot", "display_name": "QuackBot", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": "65a2e3ebbb1bdfd541af3e91", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7190, "FileHash-MD5": 157, "FileHash-SHA1": 116, "FileHash-SHA256": 2281, "domain": 2139, "hostname": 2485, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 14372, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sp.xxtgg.bar", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sp.xxtgg.bar", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776622798.610592 }