{ "type": "URL", "indicator": "https://sso.dev.fiba.pulselive.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sso.dev.fiba.pulselive.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3782555933, "indicator": "https://sso.dev.fiba.pulselive.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6a141c15cfec672ba39e6a17", "name": "S0094 clone credit score blue ", "description": "", "modified": "2026-05-25T10:03:13.774000", "created": "2026-05-25T09:53:25.429000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": "6665d55d941729c5f283b3f7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2951, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17067, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6553b88c316cfb531b9c4c10", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com", "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-14T18:12:28.459000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568ab12429c394dc4b91ea", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go", "description": "", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-16T21:33:37.838000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "6553b88c316cfb531b9c4c10", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bc6301b7cdf7d04e095", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:44:54.422000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bdc3676a40633a619be", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:45:16.667000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568d67bd96e06ab44b9b95", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-16T21:45:11.721000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "65536bdc3676a40633a619be", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "https://applemusic-spotlight.myunidays.com/US/en-US?", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "pornhub.com", "dishmail.net", "home.toshiba.com", "Domains Contacted: simplesausages.cx.cc adobe.com", "monitor.cablelan.net", "ytq2rs56.haogfw.com", "myhughesnet.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966", "https://test2.ditproducts.com/dat/wannacry1.html", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor", "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly," ], "malware_families": [ "Trojanspy", "Win.packed.pincav-7537597-0", "Win32:karagany-d\\ [trj]", "Alf:jasyp:trojandownloader:win32/karagany!atmn", "Roblox", "Trojan.karagany - s0094", "Trojan:win32/startpage.ss", "Win.trojan.xtoober-650", "Maltiverse" ], "industries": [ "Finance - insurance sector", "Healthcare", "Technology", "Telecommunications" ], "unique_indicators": 51591 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pulselive.com", "whois": "http://whois.domaintools.com/pulselive.com", "domain": "pulselive.com", "hostname": "sso.dev.fiba.pulselive.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6a141c15cfec672ba39e6a17", "name": "S0094 clone credit score blue ", "description": "", "modified": "2026-05-25T10:03:13.774000", "created": "2026-05-25T09:53:25.429000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": "6665d55d941729c5f283b3f7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2951, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17067, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "690 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6553b88c316cfb531b9c4c10", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com", "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-14T18:12:28.459000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568ab12429c394dc4b91ea", "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go", "description": "", "modified": "2023-12-14T15:03:30.417000", "created": "2023-11-16T21:33:37.838000", "tags": [ "united", "blacklist", "malicious site", "mail spammer", "detection list", "cisco umbrella", "site", "safe site", "malware", "phishing site", "heur", "malware site", "alexa top", "million", "unsafe", "artemis", "riskware", "conduit", "agent", "opencandy", "xtrat", "iframe", "cleaner", "team", "installpack", "xrat", "tiggre", "presenoker", "fusioncore", "wacatac", "azorult", "phishing", "service", "runescape", "facebook", "bank", "download", "crack", "softcnapp", "trojanspy", "maltiverse", "falcon sandbox", "pattern match", "root ca", "authority", "class", "script", "ascii text", "mitre att", "localappdata", "temp", "ck id", "date", "unknown", "generator", "critical", "error", "meta", "hybrid", "general", "local", "click", "strings", "expiressun", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "pt3uc1", "path", "movies", "watch", "html info", "meta tags", "suddenlink tv", "trackers amazon", "pt3rc1", "whois record", "whois whois", "ssl certificate", "historical", "historical ssl", "referrer", "communicating", "dropped", "contacted", "apple ios", "hacktool", "metro", "malicious", "crypto", "installer", "attack", "awful", "brian sabey", "aig", "civicaIg", "tracking", "password crack", "tulach", "target tsara brashears", "tylerknott", "att", "monitoring", "spyware", "spying", "cybercrime", "tulach", "hughesnet", "ios", "toshiba", "attack", "malvertizing", "cyber stalking", "porn", "pornhub" ], "references": [ "http://mobile.suddenlink2go.com/", "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3", "https://applemusic-spotlight.myunidays.com/US/en-US?", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "myhughesnet.com", "dishmail.net", "home.toshiba.com", "ytq2rs56.haogfw.com", "pornhub.com", "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI", "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ", "monitor.cablelan.net", "https://monitor.rodgersmith.com", "https://www.everycloudtech.com/free-mail-flow-monitor" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "6553b88c316cfb531b9c4c10", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 179, "FileHash-SHA256": 4528, "CVE": 7, "domain": 2024, "hostname": 3556, "URL": 10455 }, "indicator_count": 20893, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bc6301b7cdf7d04e095", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:44:54.422000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65536bdc3676a40633a619be", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-14T12:45:16.667000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568d67bd96e06ab44b9b95", "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20", "description": "", "modified": "2023-12-14T12:03:15.957000", "created": "2023-11-16T21:45:11.721000", "tags": [ "passive dns", "urls", "t1604023287", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "http", "ip address", "ssl certificate", "whois record", "resolutions", "referrer", "historical ssl", "communicating", "threat roundup", "whois whois", "apple", "stopransomware", "core", "discord", "metro", "blister", "cobalt strike", "hacktool", "june", "name verdict", "pattern match", "et tor", "known tor", "misc attack", "link", "woff2", "relayrouter", "exit", "node traffic", "ascii text", "date", "click", "unknown", "meta", "hybrid", "general", "local", "strings", "class", "generator", "critical", "error", "execution", "malware", "network", "roblox", "united", "as13335", "a domains", "status", "aaaa", "search", "script urls", "creation date", "showing", "pixel", "win32", "download", "t1507537243" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "65536bdc3676a40633a619be", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11333, "FileHash-MD5": 81, "FileHash-SHA1": 74, "FileHash-SHA256": 3269, "domain": 2748, "hostname": 3475, "email": 2, "CVE": 2 }, "indicator_count": 20984, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "898 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sso.dev.fiba.pulselive.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sso.dev.fiba.pulselive.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222487.2760932 }