{ "type": "URL", "indicator": "https://staging.crmdynint.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://staging.crmdynint.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3390395103, "indicator": "https://staging.crmdynint.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 26, "pulses": [ { "id": "69decb6dd1bd6da78fc72d0a", "name": "Solarwinds Similarties? Tactics ASP.Net IoC\u2019s ISOLATED", "description": "Does this have similarities to the SolarWinds Attack? Anyone?\n\nASP.NET is a web application framework created by Microsoft for building dynamic web applications.\nIt enables developers to create web pages that can interact with databases and respond to user inputs.\nASP.NET supports various programming languages, including C# and VB.NET.\nContext: ASP.NET is widely used for developing modern web applications and services. It allows developers to create interactive and data-driven web pages that can run on various operating systems, including Windows, Linux, and macOS. The framework is open-source and supports various architectures, including MVC (Model-View-Controller) and Web API, which facilitate the organization and development of complex applications.\nIn many instances ASP.net has been seen connected to malicious Tulach , Apple , a browser agent that transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.", "modified": "2026-04-14T23:19:09.495000", "created": "2026-04-14T23:19:09.495000", "tags": [ "united", "aaaa", "certificate", "error", "read c", "rgba", "unicode", "memcommit", "delete", "dock", "execution", "command decode", "suricata ipv4", "suricata tcpv4", "flag", "localappdata", "windir", "openurl c", "programfiles", "suricata udpv4", "win64", "click", "strings", "anon", "username", "userprofile", "mitre att", "ck id", "ck matrix", "appdata", "comspec", "model", "path", "april", "hybrid", "general", "learn", "suspicious", "informative", "adversaries", "command", "spawns", "ck techniques", "mtb apr", "exploit", "trojan", "backdoor", "please", "x msedge", "all ipv4", "ransom", "date hash", "avast avg", "win32orbus apr", "dynamicloader", "yara rule", "high", "tofsee", "rndhex", "rndchar", "loaderid", "lidfileupd", "localcfg", "write", "stream", "push", "mtb alerts", "ee fc", "ff d5", "lredmond", "malware", "msie", "windows nt", "wow64", "slcc2", "media center", "yara detections", "av detections", "ids detections", "hostile", "unknown", "extraction", "data upload", "failed", "include review", "stop data", "typ url", "url data", "typ no", "th all", "stop", "port", "destination", "ds detections", "tls sni", "nrv2x", "upxoepplace", "alerts", "contacted", "markus", "hostile alerts", "less see", "all ip", "tulach", "brian sabey", "quasi", "link", "script urls", "record value", "script domains", "fireeye", "create c", "as15169", "next", "all url", "http", "related pulses", "related tags", "google safe", "code", "y se", "included review", "io excluded", "suggeste", "ipv4", "unknown ns", "redacted admin", "fax redacted", "name redacted", "phone redacted", "code redacted", "redacted tech", "christopher ahmann", "solarwinds like?" ], "references": [ "asp.net \u2022 cdnsrc.asp.net", "https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf", "http://www.phonefactor.com/PfPaWs/ConfirmActivation", "IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting", "https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo", "https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c", "www.fireeye.com", "danilovstyle.ru", "ns4-04.azure-dns.info", "ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info", "www.fireeye.com .", "https://hypic-anaivsis.com/sambrerb/a0p9veebo", "Are these table SolarWinds attackers? Using same tacktics, good? Unsure.", "Tulach\u2019s ASP.Net Open Source destruction" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/SodinokibiCrypt.SK!MTB", "display_name": "Ransom:Win32/SodinokibiCrypt.SK!MTB", "target": "/malware/Ransom:Win32/SodinokibiCrypt.SK!MTB" }, { "id": "Win.Ransomware.Tofsee-10015002", "display_name": "Win.Ransomware.Tofsee-10015002", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb I", "display_name": "Trojan:Win32/Comisproc!gmb I", "target": "/malware/Trojan:Win32/Comisproc!gmb I" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 88, "FileHash-MD5": 211, "FileHash-SHA1": 186, "FileHash-SHA256": 1366, "URL": 1848, "domain": 418, "email": 4, "hostname": 622, "SSLCertFingerprint": 21 }, "indicator_count": 4764, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68feb98a8c1b75b4431a3e8e", "name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?", "description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.", "modified": "2025-11-25T20:05:31.749000", "created": "2025-10-27T00:15:06.191000", "tags": [ "html internet", "html document", "ascii text", "language", "cve202323397", "iframe tags", "tag manager", "gtmkvjvztk", "anchor hrefs", "info ta0011", "protocol", "layer protocol", "port", "t1571 encrypted", "channel", "t1573 malware", "tree", "oc0006 http", "c0014", "get http", "dns resolutions", "resolved ips", "user", "data", "datacrashpad", "edge", "v full", "reports v", "chrome u", "appdata local", "googlechrome u", "u ser", "cname", "ip address", "http", "accept", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "extraction", "suggested iocs", "data upload", "cry dee", "stop", "type", "url indicator", "enter", "failed", "se share", "extrac", "enter so", "passive dns", "urls", "hostname add", "pulse pulses", "files", "domain", "files ip", "address", "location united", "asn as20473", "dynamicloader", "directui", "write c", "intel", "ms windows", "pe32", "element", "delete c", "document file", "v2 document", "explorer", "trojandropper", "write", "markus", "august", "movie", "insert", "pulse submit", "url analysis", "asn as8068", "united", "entries", "body", "please", "x msedge", "ipv4 add", "present sep", "present oct", "present feb", "status", "unknown ns", "search", "name servers", "present jul", "aaaa", "present apr", "trojan", "medium", "high", "yara rule", "globalc", "june", "malware", "win64", "unknown", "america flag", "twitter", "hostname", "domain add", "reverse dns", "america asn", "present aug", "a domains", "moved", "first pqc", "unknown aaaa", "title", "meta", "window", "encrypt", "pulse indicator", "body doctype", "welcome", "ok server", "gmt content", "atlanta", "abuse", "agent", "service", "present jun", "present may", "creation date", "record value", "servers", "libretv meta", "certificate", "value", "whois lookup", "loopia ab", "userlolxxl" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wannacry", "display_name": "Wannacry", "target": null }, { "id": "Foundry", "display_name": "Foundry", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb", "display_name": "Trojan:Win32/Comisproc!gmb", "target": "/malware/Trojan:Win32/Comisproc!gmb" }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "#Exploit:Win32/CVE- 2023 - 23397", "display_name": "#Exploit:Win32/CVE- 2023 - 23397", "target": "/malware/#Exploit:Win32/CVE- 2023 - 23397" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "ALF:PulZati:Worm:Win32/Mydoom", "display_name": "ALF:PulZati:Worm:Win32/Mydoom", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 8, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 248, "FileHash-SHA1": 134, "FileHash-SHA256": 2661, "URL": 6257, "domain": 682, "email": 8, "hostname": 2077, "CVE": 1 }, "indicator_count": 12068, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a23eef53f1124e8dc273fc", "name": "Sign in to your account - Anorocuriv", "description": "Short link sent to an iPhone user possibly by accident or maybe not. Unraveled :[https://ns4.whichkill.net/]\n[https://l.us-1.a.mimecastprotect.com/l]\n[https://api-glintstage.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\n\n[https://api.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\t\n\n*api.us1.glintinc.com #malta\n*ALF:Trojan:Win32/Anorocuriv.A.#virtool #LowFI:HookwowLow \n#tracking #tiaa #locate recording #userpics #movies #audio #screen #mobile_assets #https://biccerija.gov.mt/en/contact/", "modified": "2025-09-16T20:00:00.565000", "created": "2025-08-17T20:43:27.502000", "tags": [ "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "status", "msie", "chrome", "passive dns", "urls", "date", "pulse pulses", "files", "domain", "files ip", "body", "http", "hostname", "files domain", "present jan", "present dec", "united", "present aug", "present jun", "unknown aaaa", "present mar", "present may", "present feb", "present jul", "error", "a domains", "gmt content", "accept encoding", "config nocache", "hostname add", "pulse submit", "content type", "certificate", "ip address", "cookie", "mita", "next associated", "please", "x msedge", "ipv4 add", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "mitre att", "ascii text", "null", "click", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "adversaries", "ssl certificate", "logo", "av detection", "default browser", "guest system", "professional", "falcon sandbox", "response risk", "ck techniques", "detection", "show process", "prefetch8", "windows nt", "win64", "khtml", "gecko", "post collect", "microsoft edge", "nota", "brand", "class", "facebook", "ascii", "hex dump", "extraction", "failed", "data upload", "pul data", "enter", "s data", "type", "extr error", "href", "mask", "extra", "uta support", "include review", "exclude sugges", "find", "wow64", "show", "observed dns", "query", "unknown", "virtool", "copy", "write", "defender", "expiro", "malware", "next", "lowfi", "hookwowlow dec", "mtb jan", "mtb nov", "hookwowlow nov", "trojan", "trojandropper", "http request", "delete", "yara detections", "pe exe", "dll windows", "minimal http", "february", "guard", "alerts", "analysis date", "file score", "detections alf", "detections http", "http executable", "retrieved", "location united", "america flag", "america asn", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 853, "hostname": 1835, "URL": 7127, "email": 3, "FileHash-SHA256": 1470, "FileHash-MD5": 293, "FileHash-SHA1": 284, "SSLCertFingerprint": 426, "CVE": 1 }, "indicator_count": 12292, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a0cb6a89a10d13623a0018", "name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet", "description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink", "modified": "2025-09-15T16:04:47.043000", "created": "2025-08-16T18:18:18.657000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "entries", "httponly", "samesitelax", "read c", "medium", "rgba", "unicode", "port", "memcommit", "delete", "next", "dock", "write", "execution", "present aug", "united", "ip address", "name servers", "unknown ns", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "show technique", "ck matrix", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "href", "size", "t1480 execution", "file defense", "ascii text", "trojan", "passive dns", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "urls", "files", "location united", "ipv4", "url analysis", "america flag", "america asn", "backdoor", "win32", "malware", "date", "domain", "segoe ui", "a domains", "security tls", "san jose", "asn8075", "reverse dns", "software", "resource hash", "general full", "status", "emails", "expiration date", "asp", "microsoft oem", "found", "running webserver", "netherlands", "creation date", "aaaa", "certificate", "protocol h2", "name value", "hash", "present jun", "present apr", "moved", "control att", "t1573 encrypted", "channel command", "decrypted ssl", "runtime process", "appdata", "windows nt", "svg scalable", "patch", "internal", "core", "high", "tcp syn", "icmp traffic", "dns query", "av detections", "ashburn", "ai device id", "telnet", "windows script", "microsoft", "host", "yara detections", "pdb path", "pe resource", "script host", "test", "hostname add", "files ip", "domains", "hashes", "ireland", "mtb jun", "mtb may", "device local", "remotewd", "nemtih", "url add", "http", "hostname", "files domain", "files related", "pulses otx", "present jul", "domain add", "colorado", "quasi", "contracts", "botnet", "remote access", "virginia", "c++", "hacking", "monitored target", "silencing campaign", "audio recording", "cameras", "full service", "tactics" ], "references": [ "Handled by Lumen Technologies | What kind of darkness is this?", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "dev.myhpnmedicaid.com", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "https://dotnet.microsoft.com/en-us/apps/aspnet", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Trojan:Win32/Daws", "display_name": "Trojan:Win32/Daws", "target": "/malware/Trojan:Win32/Daws" }, { "id": "ELF:Mirai-ATI", "display_name": "ELF:Mirai-ATI", "target": null }, { "id": "Trojan:Win32/IRCbot", "display_name": "Trojan:Win32/IRCbot", "target": "/malware/Trojan:Win32/IRCbot" }, { "id": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1092", "name": "Communication Through Removable Media", "display_name": "T1092 - Communication Through Removable Media" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" } ], "industries": [ "Technology", "Telecommunications", "Contracts", "Government", "Finance", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4880, "domain": 575, "hostname": 1419, "FileHash-SHA256": 1745, "FileHash-MD5": 284, "FileHash-SHA1": 263, "email": 5, "CVE": 1 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893eee9bf1b30e08d1a6d8e", "name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood", "description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.", "modified": "2025-09-05T23:02:52.811000", "created": "2025-08-07T00:10:17.696000", "tags": [ "address google", "safe browsing", "united", "typeof", "passive dns", "body doctype", "nreum", "date", "gmt server", "apache x", "cnection", "content type", "span", "ok transfer", "encoding", "x powered", "unknown soa", "unknown ns", "showing", "entries", "next associated", "urls show", "body", "encrypt", "search", "ip address", "creation date", "record value", "present jul", "present may", "present apr", "certificate", "present aug", "present feb", "present dec", "present nov", "error", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "august", "hybrid", "general", "local", "path", "click", "strings", "itre att", "accept", "sha256", "size", "type data", "utf8 text", "document file", "flag", "server", "european union", "name server", "tor analysis", "dns requests", "domain address", "ii llc", "windir", "openurl c", "prefetch2", "show process", "ogoogle trust", "network traffic", "organization", "elton avundano", "object", "title object", "header http2", "returnurl", "texas", "rsa ov", "ssl ca", "status", "australia", "netherlands", "urls", "gmt path", "hostname add", "pulse submit", "present oct", "e safe", "results jul", "response ip", "present jan", "name servers", "verdict", "domain", "files ip", "address domain", "xhr start", "xhr load", "aaaa", "read c", "show", "port", "destination", "high", "delete", "outbound m3", "copy", "write", "persistence", "execution", "malware", "generic", "unknown", "present mar", "dynamicloader", "wine emulator", "dynamic", "medium", "read", "associated urls", "date checked", "url hostname", "server response", "google safe", "dnssec", "domain name", "solutions", "llc status", "next passive", "dns status", "hostname query", "files show", "date hash", "avast avg", "overview ip", "address", "related nids", "files location", "flag united", "hostname", "files domain", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "virtool", "win64", "defense evasion", "t1480 execution", "file defense", "null", "refresh", "tools", "look", "verify", "restart", "file discovery", "utf8", "crlf line", "a domains", "script urls", "link", "unknown aaaa", "meta", "atom", "results jan", "present", "present sep", "akamai", "asn as16625", "less whois", "registrar", "http", "france flag", "france hostname", "files related", "url analysis", "files", "location france", "detailed error", "sec ch", "ch ua", "ua full", "ua platform", "moved", "name", "perfect privacy", "error jul", "next related", "domains show", "domain related", "url add", "pulse pulses", "hosting", "reverse dns", "france asn", "as16276", "dns resolutions", "datacenter", "regopenkeyexa", "regsetvalueexa", "windows nt", "regdword", "hostile", "service", "delphi", "next", "pulses none", "related tags", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "review", "data upload", "extraction", "khtml", "gecko", "olet", "cnlet", "tlsv1", "hacktool", "push", "ms windows", "intel", "pe32", "users", "precreate read", "ransom", "code", "installer", "june", "media", "autorun", "next yara", "detections name", "aspackv2xxx", "eu alexey", "alerts", "pe file", "filehash", "sha256 add", "av detections", "ids detections", "yara detections", "analysis date", "april", "packing t1045", "t1045", "t1060", "registry run", "keys", "user execution", "icmp traffic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1132, "URL": 6245, "hostname": 2264, "FileHash-SHA256": 1857, "FileHash-SHA1": 491, "email": 9, "FileHash-MD5": 573, "SSLCertFingerprint": 16 }, "indicator_count": 12587, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68743733a69ce827f6156f5c", "name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy", "description": "", "modified": "2025-07-13T22:46:11.685000", "created": "2025-07-13T22:46:11.685000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "279 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664b74b2683dec84891aef96", "name": "PrivateLoader is a malware with a module structure that has the capability is to download and execute one or several payloads", "description": "http://185.172.128.69/batushka/inte.exe \nhttp://185.172.128.69/allnewumm.exe\nhttp://185.172.128.69/brandumma.exe\nhttp://185.172.128.69/files\nhttp://185.172.128.69/files/US.file\nhttp://185.172.128.69/latestumma.exe\nhttp://185.172.128.69/newumma.exe\nhttp://185.172.128.69/sekundumma.exe\nhttp://185.172.128.69/ummanew.exe", "modified": "2024-10-14T20:36:05.361000", "created": "2024-05-20T16:05:06.313000", "tags": [ "stdin via", "nextron", "powershell id", "powershell", "tim rauch", "elastic", "script block", "logging", "pe32", "ms windows", "intel", "nazwa typ", "md5 nazwa", "procesu" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7268, "domain": 1310, "URL": 8101, "FileHash-SHA1": 1615, "hostname": 2590, "FileHash-MD5": 1852, "email": 267, "SSLCertFingerprint": 3, "CIDR": 38, "CVE": 7, "IPv4": 15, "YARA": 4 }, "indicator_count": 23070, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cd0d8da99ad679a1e5049b", "name": "VirusTotal Cl0p Ransomware Attack", "description": "Virustotal Ransomware attack when attempting to evaluate malicious link : http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States®ion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Residual Cl0p Ransomware attack seen. \n\nAll Tags , Malware Families and Mitre ATT&CK results: Auto-populated.", "modified": "2024-09-25T22:04:23.320000", "created": "2024-08-26T23:19:41.093000", "tags": [ "please", "javascript", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "suricata ipv4", "united", "date", "suricata udpv4", "meta", "general", "twitter", "click", "strings", "virustotal", "body", "contact", "heur", "cisco umbrella", "malware", "site", "safe site", "suspected", "malware site", "filerepmetagen", "malicious site", "alexa top", "iframe", "wacatac", "downldr", "crack", "filetour", "cleaner", "exploit", "presenoker", "agent", "conduit", "riskware", "acint", "behav", "genkryptik", "phishing", "azorult", "cobalt strike", "runescape", "facebook", "bank", "download", "xrat", "installcore", "patcher", "adload", "cl0p", "trojanspy", "webtoolbar", "detection list", "blacklist", "mail spammer", "phishing site", "ip address", "malicious url", "ascii text", "et tor", "known tor", "misc attack", "pattern match", "relayrouter", "exit", "node traffic", "local", "core", "no data", "analyzer threat", "ip summary", "summary", "spammer", "node tcp", "traffic", "tor known", "ssh attacker", "attacker", "hostile host", "threats et", "cl0p ransomware", "analyzer paste", "iocs", "entity" ], "references": [ "https://www.virustotal.com/graph/http%3A%2F%2Fbbd383ttka22.top%2Fprize%2Fluckyus-ad%2Fnigh.php%3Fc%3D69zejibbz5fz1%26k%3D987ad34e7843dd8f3a3cb6559f188769%26country_code%3DUS%26country_name%3DUnited%2520States%26region%3DNew%2520York%26city%3DPlainview%26isp%3DMCI%2520Communications%2520Services%2C%2520Inc.%2520d%2Fb%2Fa%2520Verizon%2520Business%26lang%3Dja%26ref_domain%3D%26os%3DiOS%26osv%3D16%26browser%3DChrome%26browserv%3D115%26brand%3DApple%26model%3DiPhone%26marketing_name%3DiPhone%26tablet%3D2%26rheig", "bundled.toolbar.google | http://bundled.toolbar.google/http:/toolbar.google.| toolbar.google | https://bundled.toolbar.google/", "https://bundled.toolbar.google | http://toolbar.google.| http://bundled.toolbar.google/ | http://bundled.toolbar.google", "cryptpad.effi.org | cryptpad-sandbox.effi.org | www2.effi.org | tor.effi.org | tor-ou.effi.org", "www2.effi.org\t | tor.effi.org | tor-ou.effi.org", "op.lunistra.com | api.demand-iq.com", "Ransomware Report: https://www.hybrid-analysis.com/sample/c58e07f62f576d36567d74ca25bdff8374231e7985ff05a10bffbc5cb4296904/66ccf708c605284e0a0aea74" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "hostname": 132, "FileHash-SHA256": 278, "FileHash-MD5": 138, "FileHash-SHA1": 65, "SSLCertFingerprint": 8, "URL": 269, "CVE": 8 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "570 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e0ffb31d4881f3238713", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:15:27.994000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e142f0c8f5ddecbc788c", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:16:34.388000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 94, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e15588a794b95443b46d", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated", "modified": "2024-08-05T02:03:31.529000", "created": "2024-07-06T06:16:53.461000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "file size", "b file", "detections file", "gzip chrome", "cache entry", "graph", "ip detections", "country", "domains", "internet domain", "service bs", "corp", "namecheap inc", "csc corporate", "tucows", "epik llc", "tucows domains" ], "references": [ "https://www.searchw3.com/", "IP\u2019s Contacted: 192.124.249.187", "Ransomware: message.htm.com", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3731, "URL": 11926, "hostname": 4626, "domain": 4135, "FileHash-MD5": 1530, "FileHash-SHA1": 762, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 26747, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "767 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65568b00198f82af2e88d463", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-16T21:34:56.016000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6552d6f5f56d2e9cd9e18a30", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6552d6f5f56d2e9cd9e18a30", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:09:57.370000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6552d60aae6e1b3c22455088", "name": "Hive 0065", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:06:02.329000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7dda4ef145116f1593a", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "", "modified": "2023-12-06T16:57:01.831000", "created": "2023-12-06T16:57:01.831000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "hostname": 551, "FileHash-SHA256": 650, "FileHash-MD5": 425, "FileHash-SHA1": 224, "URL": 1019, "domain": 485, "email": 2, "FilePath": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7d867bfb30b452b94d0", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "", "modified": "2023-12-06T16:56:56.522000", "created": "2023-12-06T16:56:56.522000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "hostname": 551, "FileHash-SHA256": 650, "FileHash-MD5": 425, "FileHash-SHA1": 224, "URL": 1019, "domain": 485, "email": 2, "FilePath": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f14eabcb037c4257b827b", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "", "modified": "2023-11-04T16:00:22.229000", "created": "2023-10-30T02:28:58.264000", "tags": [ "engineering", "united", "cyber threat", "team", "malware", "telefonica co", "heur", "malicious site", "ip reputation", "bambernek pony", "zeus", "nymaim", "facebook", "raccoon", "download", "kronos", "ramnit", "simda", "bank", "phishing", "citadel", "zbot", "pykspa", "agent", "maltiverse", "noname057", "copyright", "reserved", "flag", "date", "name server", "markmonitor", "server", "organization", "germany germany", "sample", "session details", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata alerts", "event category", "analysis", "malicious url", "windows nt", "wow64", "response", "gmt contenttype", "gecko host", "vary", "gmt etag", "general gets", "script", "parking crew", "apple", "apple id", "tsara", "tsara brashears", "spyware", "cyber criminal", "cyber stalking", "track", "track iphone", "accept all platforms", "infringement", "intellectual property", "suricata", "alert", "red team", "happywifehappylife", "malicious", "revenge", "posts", "post", "post to web", "post to server", "exploit", "command_and_control", "toggle", "logon", "login", "privilege", "ios", "attack", "mitre", "Packed.VMProt", "apple engineering", "abuse", "cve", "robots", "arizona", "bounce", "canada", "croatia", "base64_encoded", "%samplepath%", "tagging", "png image", "PSI-USA, Inc. dba Domain Robot Organization", "dns", "query", "evasive", "crack", "record type", "ttl value", "dns replication", "santa fe", "available from", "registrar abuse", "iana id", "domain status", "creation date", "registrar url", "code", "dapato", "predator", "win64", "conduit", "fakeinstaller", "installpack", "generic", "downloader", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "cleaner", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "swrort", "kraddare", "systweak", "iobit", "installcore", "artemis", "riskware", "dllinject", "driverpack", "trojanspy", "webtoolbar", "cisco umbrella", "ip hostname", "safe site", "site", "targeted", "AI", "dllinject" ], "references": [ "Spyware", "Parking Crew Spyware", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "wTools", "Research and Analysis", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "dllinject" ], "public": 1, "adversary": "Cyber Criminal", "targeted_countries": [ "Argentina", "Ireland", "United States of America" ], "malware_families": [ { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "TinyZBot - S0004", "display_name": "TinyZBot - S0004", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Bambernek Pony", "display_name": "Bambernek Pony", "target": null }, { "id": "Ransom:Win32/Nymaim", "display_name": "Ransom:Win32/Nymaim", "target": "/malware/Ransom:Win32/Nymaim" }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "TrojanSpy:Win32/Kronos", "display_name": "TrojanSpy:Win32/Kronos", "target": "/malware/TrojanSpy:Win32/Kronos" }, { "id": "Trojan:Win32/Raccoonstealer", "display_name": "Trojan:Win32/Raccoonstealer", "target": "/malware/Trojan:Win32/Raccoonstealer" }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "Spammer:Win32/Noname", "display_name": "Spammer:Win32/Noname", "target": "/malware/Spammer:Win32/Noname" }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Banker", "display_name": "Banker", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Trojan:MSIL/Razy", "display_name": "Trojan:MSIL/Razy", "target": "/malware/Trojan:MSIL/Razy" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "TrojanDownloader:Win32/Kraddare", "display_name": "TrojanDownloader:Win32/Kraddare", "target": "/malware/TrojanDownloader:Win32/Kraddare" }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "ALF:JASYP:PUAWin32/Systweak", "display_name": "ALF:JASYP:PUAWin32/Systweak", "target": null }, { "id": "Trojan:Win32/Dapato", "display_name": "Trojan:Win32/Dapato", "target": "/malware/Trojan:Win32/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": "651f177187ed5eba41657bf4", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 485, "hostname": 551, "URL": 1019, "FileHash-SHA256": 650, "CVE": 5, "FileHash-MD5": 425, "FileHash-SHA1": 224, "FilePath": 2, "email": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651f177187ed5eba41657bf4", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "Significantly infected Apple ID. and various devices; spyrixkeylogger, spyware, networm, tracking, beacons, injection, full control iOS and apple devices as well as OS. Appears as investigated. Not a lawful investigated. 5+ year (analysis reveals dated CVE's and malware specially targets individual) of spying, tagging, targeting, cyber criminal, cyber harassment, unlocker, disabled apple IDs. Interface / dummy core, collection, webdisk harvesting, cyber criminal behavior. Possible red teaming. js user, code written for a variety programs/systems, C2, relay router. robots. \ncyber threat.\nhired\ntargeted \nbotnets\nmalware\nAI", "modified": "2023-11-04T16:00:22.229000", "created": "2023-10-05T20:07:13.805000", "tags": [ "engineering", "united", "cyber threat", "team", "malware", "telefonica co", "heur", "malicious site", "ip reputation", "bambernek pony", "zeus", "nymaim", "facebook", "raccoon", "download", "kronos", "ramnit", "simda", "bank", "phishing", "citadel", "zbot", "pykspa", "agent", "maltiverse", "noname057", "copyright", "reserved", "flag", "date", "name server", "markmonitor", "server", "organization", "germany germany", "sample", "session details", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata alerts", "event category", "analysis", "malicious url", "windows nt", "wow64", "response", "gmt contenttype", "gecko host", "vary", "gmt etag", "general gets", "script", "parking crew", "apple", "apple id", "tsara", "tsara brashears", "spyware", "cyber criminal", "cyber stalking", "track", "track iphone", "accept all platforms", "infringement", "intellectual property", "suricata", "alert", "red team", "happywifehappylife", "malicious", "revenge", "posts", "post", "post to web", "post to server", "exploit", "command_and_control", "toggle", "logon", "login", "privilege", "ios", "attack", "mitre", "Packed.VMProt", "apple engineering", "abuse", "cve", "robots", "arizona", "bounce", "canada", "croatia", "base64_encoded", "%samplepath%", "tagging", "png image", "PSI-USA, Inc. dba Domain Robot Organization", "dns", "query", "evasive", "crack", "record type", "ttl value", "dns replication", "santa fe", "available from", "registrar abuse", "iana id", "domain status", "creation date", "registrar url", "code", "dapato", "predator", "win64", "conduit", "fakeinstaller", "installpack", "generic", "downloader", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "cleaner", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "swrort", "kraddare", "systweak", "iobit", "installcore", "artemis", "riskware", "dllinject", "driverpack", "trojanspy", "webtoolbar", "cisco umbrella", "ip hostname", "safe site", "site", "targeted", "AI", "dllinject" ], "references": [ "Spyware", "Parking Crew Spyware", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "wTools", "Research and Analysis", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "dllinject" ], "public": 1, "adversary": "Cyber Criminal", "targeted_countries": [ "Argentina", "Ireland", "United States of America" ], "malware_families": [ { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "TinyZBot - S0004", "display_name": "TinyZBot - S0004", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Bambernek Pony", "display_name": "Bambernek Pony", "target": null }, { "id": "Ransom:Win32/Nymaim", "display_name": "Ransom:Win32/Nymaim", "target": "/malware/Ransom:Win32/Nymaim" }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "TrojanSpy:Win32/Kronos", "display_name": "TrojanSpy:Win32/Kronos", "target": "/malware/TrojanSpy:Win32/Kronos" }, { "id": "Trojan:Win32/Raccoonstealer", "display_name": "Trojan:Win32/Raccoonstealer", "target": "/malware/Trojan:Win32/Raccoonstealer" }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "Spammer:Win32/Noname", "display_name": "Spammer:Win32/Noname", "target": "/malware/Spammer:Win32/Noname" }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Banker", "display_name": "Banker", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Trojan:MSIL/Razy", "display_name": "Trojan:MSIL/Razy", "target": "/malware/Trojan:MSIL/Razy" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "TrojanDownloader:Win32/Kraddare", "display_name": "TrojanDownloader:Win32/Kraddare", "target": "/malware/TrojanDownloader:Win32/Kraddare" }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "ALF:JASYP:PUAWin32/Systweak", "display_name": "ALF:JASYP:PUAWin32/Systweak", "target": null }, { "id": "Trojan:Win32/Dapato", "display_name": "Trojan:Win32/Dapato", "target": "/malware/Trojan:Win32/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 485, "hostname": 551, "URL": 1019, "FileHash-SHA256": 650, "CVE": 5, "FileHash-MD5": 425, "FileHash-SHA1": 224, "FilePath": 2, "email": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "651f175a87ed5eba41657bf3", "name": "Packed.VMProt/ Packed.VMProtect Apple| iOS | Mac attack techapply.com", "description": "Significantly infected Apple ID. and various devices; spyrixkeylogger, spyware, networm, tracking, beacons, injection, full control iOS and apple devices as well as OS. Appears as investigated. Not a lawful investigated. 5+ year (analysis reveals dated CVE's and malware specially targets individual) of spying, tagging, targeting, cyber criminal, cyber harassment, unlocker, disabled apple IDs. Interface / dummy core, collection, webdisk harvesting, cyber criminal behavior. Possible red teaming. js user, code written for a variety programs/systems, C2, relay router. robots. \ncyber threat.\nhired\ntargeted \nbotnets\nmalware\nAI", "modified": "2023-11-04T16:00:22.229000", "created": "2023-10-05T20:06:50.075000", "tags": [ "engineering", "united", "cyber threat", "team", "malware", "telefonica co", "heur", "malicious site", "ip reputation", "bambernek pony", "zeus", "nymaim", "facebook", "raccoon", "download", "kronos", "ramnit", "simda", "bank", "phishing", "citadel", "zbot", "pykspa", "agent", "maltiverse", "noname057", "copyright", "reserved", "flag", "date", "name server", "markmonitor", "server", "organization", "germany germany", "sample", "session details", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata alerts", "event category", "analysis", "malicious url", "windows nt", "wow64", "response", "gmt contenttype", "gecko host", "vary", "gmt etag", "general gets", "script", "parking crew", "apple", "apple id", "tsara", "tsara brashears", "spyware", "cyber criminal", "cyber stalking", "track", "track iphone", "accept all platforms", "infringement", "intellectual property", "suricata", "alert", "red team", "happywifehappylife", "malicious", "revenge", "posts", "post", "post to web", "post to server", "exploit", "command_and_control", "toggle", "logon", "login", "privilege", "ios", "attack", "mitre", "Packed.VMProt", "apple engineering", "abuse", "cve", "robots", "arizona", "bounce", "canada", "croatia", "base64_encoded", "%samplepath%", "tagging", "png image", "PSI-USA, Inc. dba Domain Robot Organization", "dns", "query", "evasive", "crack", "record type", "ttl value", "dns replication", "santa fe", "available from", "registrar abuse", "iana id", "domain status", "creation date", "registrar url", "code", "dapato", "predator", "win64", "conduit", "fakeinstaller", "installpack", "generic", "downloader", "spyrixkeylogger", "bitminer", "loadmoney", "filetour", "wacatac", "fusioncore", "cleaner", "networm", "mediaget", "softonic", "trojan", "encpk", "qbot", "swrort", "kraddare", "systweak", "iobit", "installcore", "artemis", "riskware", "dllinject", "driverpack", "trojanspy", "webtoolbar", "cisco umbrella", "ip hostname", "safe site", "site", "targeted", "AI", "dllinject" ], "references": [ "Spyware", "Parking Crew Spyware", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "wTools", "Research and Analysis", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "dllinject" ], "public": 1, "adversary": "Cyber Criminal", "targeted_countries": [ "Argentina", "Ireland", "United States of America" ], "malware_families": [ { "id": "Looquer", "display_name": "Looquer", "target": null }, { "id": "TinyZBot - S0004", "display_name": "TinyZBot - S0004", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Bambernek Pony", "display_name": "Bambernek Pony", "target": null }, { "id": "Ransom:Win32/Nymaim", "display_name": "Ransom:Win32/Nymaim", "target": "/malware/Ransom:Win32/Nymaim" }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "TrojanSpy:Win32/Kronos", "display_name": "TrojanSpy:Win32/Kronos", "target": "/malware/TrojanSpy:Win32/Kronos" }, { "id": "Trojan:Win32/Raccoonstealer", "display_name": "Trojan:Win32/Raccoonstealer", "target": "/malware/Trojan:Win32/Raccoonstealer" }, { "id": "Packed.VMProtect", "display_name": "Packed.VMProtect", "target": null }, { "id": "Spammer:Win32/Noname", "display_name": "Spammer:Win32/Noname", "target": "/malware/Spammer:Win32/Noname" }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Banker", "display_name": "Banker", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Trojan:MSIL/Razy", "display_name": "Trojan:MSIL/Razy", "target": "/malware/Trojan:MSIL/Razy" }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "TrojanDownloader:Win32/Kraddare", "display_name": "TrojanDownloader:Win32/Kraddare", "target": "/malware/TrojanDownloader:Win32/Kraddare" }, { "id": "ALF:PUA:Win32/FusionCore", "display_name": "ALF:PUA:Win32/FusionCore", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "display_name": "ALF:HeraklezEval:PUA:Win32/SpyrixKeylogger", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Trojan:Win32/InstallCore", "display_name": "Trojan:Win32/InstallCore", "target": "/malware/Trojan:Win32/InstallCore" }, { "id": "ALF:JASYP:PUAWin32/Systweak", "display_name": "ALF:JASYP:PUAWin32/Systweak", "target": null }, { "id": "Trojan:Win32/Dapato", "display_name": "Trojan:Win32/Dapato", "target": "/malware/Trojan:Win32/Dapato" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 485, "hostname": 551, "URL": 1019, "FileHash-SHA256": 650, "CVE": 5, "FileHash-MD5": 425, "FileHash-SHA1": 224, "FilePath": 2, "email": 2 }, "indicator_count": 3363, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6221581d5e881a927be47379", "name": "http://marynanhuffman-com.mail.protection.outlook.com", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-04T00:06:53.440000", "tags": [ "status", "name servers", "servers", "united", "content type", "show", "emails", "creation date", "expiration date", "access", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 346, "hostname": 84, "domain": 55, "FileHash-SHA256": 92, "email": 3 }, "indicator_count": 580, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1478 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "https://www.searchw3.com/", "dllinject", "op.lunistra.com | api.demand-iq.com", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "ns4-04.azure-dns.info", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www2.effi.org\t | tor.effi.org | tor-ou.effi.org", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "Tulach\u2019s ASP.Net Open Source destruction", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "https://twitter.com/PORNO_SEXYBABES", "ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info", "cryptpad.effi.org | cryptpad-sandbox.effi.org | www2.effi.org | tor.effi.org | tor-ou.effi.org", "http://service.appleid.apple.online.hqvce.techapply.com/apple/f625bbcc3a59f078ffa95159c719501e/index.php?itunes=_connect-run&secure=5540zef1415405412104ef151511d7f84f5ze1f510eec8bd0e", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "Are these table SolarWinds attackers? Using same tacktics, good? Unsure.", "https://dotnet.microsoft.com/en-us/apps/aspnet", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "www.fireeye.com .", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "https://bundled.toolbar.google | http://toolbar.google.| http://bundled.toolbar.google/ | http://bundled.toolbar.google", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "go.microsoft.com 184.26.158.64 TTL: 2672\tMarkMonitor, Inc. Organization: Microsoft Corporation Name Server: NS1.MSFT.NET", "https://hypic-anaivsis.com/sambrerb/a0p9veebo", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Handled by Lumen Technologies | What kind of darkness is this?", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "Ransomware: message.htm.com", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "https://www.hybrid-analysis.com/sample/6450c8bb8cec78135dd4891507099d1407ef1d9af40bc250251eb99888c20f7e/651eda366e1436b384026c6d", "http://www.phonefactor.com/PfPaWs/ConfirmActivation", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "192.124.249.187", "https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo", "Parking Crew Spyware", "www.fireeye.com", "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "asp.net \u2022 cdnsrc.asp.net", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains", "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "wTools", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "c.parkingcrew.net 185.53.178.30 TTL: 9\tPSI-USA, Inc. dba Domain Robot Organization: Team Internet AG Name Server: NS-1403.AWSDNS-47.ORG", "service.appleid.apple.online.hqvce.techapply.com 76.223.35.103 TTL: 600\tTitanic Hosting, Inc. Name Server: NS1.DNE.COM", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Ransomware Report: https://www.hybrid-analysis.com/sample/c58e07f62f576d36567d74ca25bdff8374231e7985ff05a10bffbc5cb4296904/66ccf708c605284e0a0aea74", "Spyware", "Research and Analysis", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "bundled.toolbar.google | http://bundled.toolbar.google/http:/toolbar.google.| toolbar.google | https://bundled.toolbar.google/", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "dev.myhpnmedicaid.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://www.milehighmedia.com/legal/2257", "danilovstyle.ru", "https://www.virustotal.com/graph/http%3A%2F%2Fbbd383ttka22.top%2Fprize%2Fluckyus-ad%2Fnigh.php%3Fc%3D69zejibbz5fz1%26k%3D987ad34e7843dd8f3a3cb6559f188769%26country_code%3DUS%26country_name%3DUnited%2520States%26region%3DNew%2520York%26city%3DPlainview%26isp%3DMCI%2520Communications%2520Services%2C%2520Inc.%2520d%2Fb%2Fa%2520Verizon%2520Business%26lang%3Dja%26ref_domain%3D%26os%3DiOS%26osv%3D16%26browser%3DChrome%26browserv%3D115%26brand%3DApple%26model%3DiPhone%26marketing_name%3DiPhone%26tablet%3D2%26rheig", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "http://watchhers.net/index.php", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "d38psrni17bvxu.cloudfront.net 18.239.196.136 TTL: 60\tMarkMonitor, Inc. Organization: Amazon.com, Inc. Name Server: NS-1306.AWSDNS-35.ORG", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Cyber Criminal" ], "malware_families": [ "Webtoolbar", "Generic", "Trojan:win32/daws", "Elf:mirai-ati", "Alf:pua:win32/fusioncore", "Other malware", "Ransom:win32/nymaim", "Win.packed.generic-9967832-0", "Trojandropper:win32/vb.il", "Redline", "Trojan:win32/wacatac", "Looquer", "Spammer:win32/noname", "Trojan:win32/installcore", "Custom malware", "Tofsee", "Trojan:win32/qbot", "Foundry", "Packed.vmprotect", "Tinyzbot - s0004", "Trojandropper:win32/muldrop.v!mtb", "Trojan:win32/dapato", "Cl0p", "Trojanspy:win32/kronos", "Trojandownloader:win32/kraddare", "Pegasus", "Trojan:win32/comisproc!gmb i", "Trojan:msil/razy", "Ramnit", "#exploit:win32/cve- 2023 - 23397", "Cve-2023-22518", "Maltiverse", "Ransom:win32/sodinokibicrypt.sk!mtb", "Trojan:win32/zombie.a", "Alf:pulzati:worm:win32/mydoom", "Worm:win32/pykspa", "Trojan:win32/comisproc!gmb", "Trojan:win32/ircbot", "Wannacry", "Trojanspy", "Alf:heraklezeval:pua:win32/spyrixkeylogger", "Backdoor:win32/simda", "Malware", "Banker", "Alf:jasyp:trojan:win32/ircbot!atmn", "Trojan:win32/raccoonstealer", "Alf:jasyp:puawin32/systweak", "Bambernek pony", "Alf:pua:win32/iobit", "Win.ransomware.tofsee-10015002" ], "industries": [ "Government", "Civil society", "Food", "Health", "Technology", "Insurance", "Telecommunications", "Contracts", "Finance" ], "unique_indicators": 173020 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/crmdynint.com", "whois": "http://whois.domaintools.com/crmdynint.com", "domain": "crmdynint.com", "hostname": "staging.crmdynint.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 26, "pulses": [ { "id": "69decb6dd1bd6da78fc72d0a", "name": "Solarwinds Similarties? Tactics ASP.Net IoC\u2019s ISOLATED", "description": "Does this have similarities to the SolarWinds Attack? Anyone?\n\nASP.NET is a web application framework created by Microsoft for building dynamic web applications.\nIt enables developers to create web pages that can interact with databases and respond to user inputs.\nASP.NET supports various programming languages, including C# and VB.NET.\nContext: ASP.NET is widely used for developing modern web applications and services. It allows developers to create interactive and data-driven web pages that can run on various operating systems, including Windows, Linux, and macOS. The framework is open-source and supports various architectures, including MVC (Model-View-Controller) and Web API, which facilitate the organization and development of complex applications.\nIn many instances ASP.net has been seen connected to malicious Tulach , Apple , a browser agent that transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.", "modified": "2026-04-14T23:19:09.495000", "created": "2026-04-14T23:19:09.495000", "tags": [ "united", "aaaa", "certificate", "error", "read c", "rgba", "unicode", "memcommit", "delete", "dock", "execution", "command decode", "suricata ipv4", "suricata tcpv4", "flag", "localappdata", "windir", "openurl c", "programfiles", "suricata udpv4", "win64", "click", "strings", "anon", "username", "userprofile", "mitre att", "ck id", "ck matrix", "appdata", "comspec", "model", "path", "april", "hybrid", "general", "learn", "suspicious", "informative", "adversaries", "command", "spawns", "ck techniques", "mtb apr", "exploit", "trojan", "backdoor", "please", "x msedge", "all ipv4", "ransom", "date hash", "avast avg", "win32orbus apr", "dynamicloader", "yara rule", "high", "tofsee", "rndhex", "rndchar", "loaderid", "lidfileupd", "localcfg", "write", "stream", "push", "mtb alerts", "ee fc", "ff d5", "lredmond", "malware", "msie", "windows nt", "wow64", "slcc2", "media center", "yara detections", "av detections", "ids detections", "hostile", "unknown", "extraction", "data upload", "failed", "include review", "stop data", "typ url", "url data", "typ no", "th all", "stop", "port", "destination", "ds detections", "tls sni", "nrv2x", "upxoepplace", "alerts", "contacted", "markus", "hostile alerts", "less see", "all ip", "tulach", "brian sabey", "quasi", "link", "script urls", "record value", "script domains", "fireeye", "create c", "as15169", "next", "all url", "http", "related pulses", "related tags", "google safe", "code", "y se", "included review", "io excluded", "suggeste", "ipv4", "unknown ns", "redacted admin", "fax redacted", "name redacted", "phone redacted", "code redacted", "redacted tech", "christopher ahmann", "solarwinds like?" ], "references": [ "asp.net \u2022 cdnsrc.asp.net", "https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf", "http://www.phonefactor.com/PfPaWs/ConfirmActivation", "IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting", "https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo", "https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c", "www.fireeye.com", "danilovstyle.ru", "ns4-04.azure-dns.info", "ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info", "www.fireeye.com .", "https://hypic-anaivsis.com/sambrerb/a0p9veebo", "Are these table SolarWinds attackers? Using same tacktics, good? Unsure.", "Tulach\u2019s ASP.Net Open Source destruction" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/SodinokibiCrypt.SK!MTB", "display_name": "Ransom:Win32/SodinokibiCrypt.SK!MTB", "target": "/malware/Ransom:Win32/SodinokibiCrypt.SK!MTB" }, { "id": "Win.Ransomware.Tofsee-10015002", "display_name": "Win.Ransomware.Tofsee-10015002", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb I", "display_name": "Trojan:Win32/Comisproc!gmb I", "target": "/malware/Trojan:Win32/Comisproc!gmb I" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 88, "FileHash-MD5": 211, "FileHash-SHA1": 186, "FileHash-SHA256": 1366, "URL": 1848, "domain": 418, "email": 4, "hostname": 622, "SSLCertFingerprint": 21 }, "indicator_count": 4764, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68feb98a8c1b75b4431a3e8e", "name": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator?", "description": "LevelBlue - Open Threat Exchange (userlolxxl) Administrator? 1.) (userlolxxl) is also disable_duck, has an unhealthy interest in the Tsara Brashears \u2018dead yet\u2019 theory , has many profiles. His issues are self made by grabbing vulnerabilities found and linking them to a fake University website. We checked. Profile belongs to a group causing needless distraction and hooking users into the \u2018No Problems\u2019 group. \n\nWe swiftly got Regis University to take notice of Palantirs Prometheus Intelligence Technology tracking. Dean let semester begin putting students at risk despite warnings from Tsara Brashears of owa canary cookie in server, to replace computers , halt school , deal with issue. RU ignored issues, Brashears didn\u2019t. They went black , blacklisted Tsara warning of credible death threats on dark web.", "modified": "2025-11-25T20:05:31.749000", "created": "2025-10-27T00:15:06.191000", "tags": [ "html internet", "html document", "ascii text", "language", "cve202323397", "iframe tags", "tag manager", "gtmkvjvztk", "anchor hrefs", "info ta0011", "protocol", "layer protocol", "port", "t1571 encrypted", "channel", "t1573 malware", "tree", "oc0006 http", "c0014", "get http", "dns resolutions", "resolved ips", "user", "data", "datacrashpad", "edge", "v full", "reports v", "chrome u", "appdata local", "googlechrome u", "u ser", "cname", "ip address", "http", "accept", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "extraction", "suggested iocs", "data upload", "cry dee", "stop", "type", "url indicator", "enter", "failed", "se share", "extrac", "enter so", "passive dns", "urls", "hostname add", "pulse pulses", "files", "domain", "files ip", "address", "location united", "asn as20473", "dynamicloader", "directui", "write c", "intel", "ms windows", "pe32", "element", "delete c", "document file", "v2 document", "explorer", "trojandropper", "write", "markus", "august", "movie", "insert", "pulse submit", "url analysis", "asn as8068", "united", "entries", "body", "please", "x msedge", "ipv4 add", "present sep", "present oct", "present feb", "status", "unknown ns", "search", "name servers", "present jul", "aaaa", "present apr", "trojan", "medium", "high", "yara rule", "globalc", "june", "malware", "win64", "unknown", "america flag", "twitter", "hostname", "domain add", "reverse dns", "america asn", "present aug", "a domains", "moved", "first pqc", "unknown aaaa", "title", "meta", "window", "encrypt", "pulse indicator", "body doctype", "welcome", "ok server", "gmt content", "atlanta", "abuse", "agent", "service", "present jun", "present may", "creation date", "record value", "servers", "libretv meta", "certificate", "value", "whois lookup", "loopia ab", "userlolxxl" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "OTX issues | http://oracle.com/contracts.- I\u2019m wondering if vulnerabilities found put us on a watchlist", "It\u2019s not doesn\u2019t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!", "pegasus.thalamus.nz \u2022 http://pegasus.thalamus.nz\t\u2022 https://pegasus.thalamus.nz", "Personally Interested: sebastianfoliaco.com \u2022 sebagofinland.com \u2022 cpcontacts.sebastianfoliaco.com", "docs-api-staging.foundry.io \u2022 foundry.neconsside.com \u2022 http://foundry.neconsside.com \u2022 https://foundry.neconsside.com", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545", "https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips", "https://hs.ecam.com/your-challenges-ecams-solutions", "https://teja8.kuikr.com/i6/20181130/Apple \u2022 https://teja8.kuikr.com/images/chat/new-chat/apple.png \u2022", "https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png"\t hostname\tas.ultraapple.ipv64.net\t\u2022ipv64.net \u2022https://cdn.goilobby.com/email-notifications/addtoapplewallet.png \u2022 https://as.ultraapple.ipv64.net/", "Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Wannacry", "display_name": "Wannacry", "target": null }, { "id": "Foundry", "display_name": "Foundry", "target": null }, { "id": "Trojan:Win32/Comisproc!gmb", "display_name": "Trojan:Win32/Comisproc!gmb", "target": "/malware/Trojan:Win32/Comisproc!gmb" }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "#Exploit:Win32/CVE- 2023 - 23397", "display_name": "#Exploit:Win32/CVE- 2023 - 23397", "target": "/malware/#Exploit:Win32/CVE- 2023 - 23397" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "ALF:PulZati:Worm:Win32/Mydoom", "display_name": "ALF:PulZati:Worm:Win32/Mydoom", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 8, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 248, "FileHash-SHA1": 134, "FileHash-SHA256": 2661, "URL": 6257, "domain": 682, "email": 8, "hostname": 2077, "CVE": 1 }, "indicator_count": 12068, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a23eef53f1124e8dc273fc", "name": "Sign in to your account - Anorocuriv", "description": "Short link sent to an iPhone user possibly by accident or maybe not. Unraveled :[https://ns4.whichkill.net/]\n[https://l.us-1.a.mimecastprotect.com/l]\n[https://api-glintstage.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\n\n[https://api.glintinc.com/api/client/tiaa/token/saml2/consume/includeDeskLink]\t\n\n*api.us1.glintinc.com #malta\n*ALF:Trojan:Win32/Anorocuriv.A.#virtool #LowFI:HookwowLow \n#tracking #tiaa #locate recording #userpics #movies #audio #screen #mobile_assets #https://biccerija.gov.mt/en/contact/", "modified": "2025-09-16T20:00:00.565000", "created": "2025-08-17T20:43:27.502000", "tags": [ "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "status", "msie", "chrome", "passive dns", "urls", "date", "pulse pulses", "files", "domain", "files ip", "body", "http", "hostname", "files domain", "present jan", "present dec", "united", "present aug", "present jun", "unknown aaaa", "present mar", "present may", "present feb", "present jul", "error", "a domains", "gmt content", "accept encoding", "config nocache", "hostname add", "pulse submit", "content type", "certificate", "ip address", "cookie", "mita", "next associated", "please", "x msedge", "ipv4 add", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "pattern match", "mitre att", "ascii text", "null", "click", "august", "hybrid", "general", "local", "path", "strings", "refresh", "tools", "meta", "onload", "span", "adversaries", "ssl certificate", "logo", "av detection", "default browser", "guest system", "professional", "falcon sandbox", "response risk", "ck techniques", "detection", "show process", "prefetch8", "windows nt", "win64", "khtml", "gecko", "post collect", "microsoft edge", "nota", "brand", "class", "facebook", "ascii", "hex dump", "extraction", "failed", "data upload", "pul data", "enter", "s data", "type", "extr error", "href", "mask", "extra", "uta support", "include review", "exclude sugges", "find", "wow64", "show", "observed dns", "query", "unknown", "virtool", "copy", "write", "defender", "expiro", "malware", "next", "lowfi", "hookwowlow dec", "mtb jan", "mtb nov", "hookwowlow nov", "trojan", "trojandropper", "http request", "delete", "yara detections", "pe exe", "dll windows", "minimal http", "february", "guard", "alerts", "analysis date", "file score", "detections alf", "detections http", "http executable", "retrieved", "location united", "america flag", "america asn", "urls show", "date checked", "url hostname", "server response" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 853, "hostname": 1835, "URL": 7127, "email": 3, "FileHash-SHA256": 1470, "FileHash-MD5": 293, "FileHash-SHA1": 284, "SSLCertFingerprint": 426, "CVE": 1 }, "indicator_count": 12292, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a0cb6a89a10d13623a0018", "name": "Medicaid Mirai Botnet | United Healthcare Mirai Botnet", "description": "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll. Medicaid Botnet work managed by Lumen Technologies as part of a massive silencing campaign. |\n\nPhone calls routed since forces and investigated disclosures of several attack resulting in great bodily harm and life threatening, ending injuries.\nThis campaign date has one start date 11/13/2013.\n#missed assaults internal investigated 10/08/2013 -11/31/ 2013.\nI\u2019m sure other targets are impacted . This stems from targets personal , documented experiences. \nFormerly k/a Century Link was confronted by associate of targets when a plain clothed male entered targets yard in 11/ 2013, told their box controlled entire neighborhood. Continuously accessed properties. \n\n\n\n#rip #lumen #botnet #fencing #malware #silencing #civil_liberties # monitored_target #remote #corruption #privacy_abuse #centurylink", "modified": "2025-09-15T16:04:47.043000", "created": "2025-08-16T18:18:18.657000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "entries", "httponly", "samesitelax", "read c", "medium", "rgba", "unicode", "port", "memcommit", "delete", "next", "dock", "write", "execution", "present aug", "united", "ip address", "name servers", "unknown ns", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "show technique", "ck matrix", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "href", "size", "t1480 execution", "file defense", "ascii text", "trojan", "passive dns", "trojandropper", "next associated", "fastly error", "please", "sea p", "mozilla", "accept", "ipv4 add", "urls", "files", "location united", "ipv4", "url analysis", "america flag", "america asn", "backdoor", "win32", "malware", "date", "domain", "segoe ui", "a domains", "security tls", "san jose", "asn8075", "reverse dns", "software", "resource hash", "general full", "status", "emails", "expiration date", "asp", "microsoft oem", "found", "running webserver", "netherlands", "creation date", "aaaa", "certificate", "protocol h2", "name value", "hash", "present jun", "present apr", "moved", "control att", "t1573 encrypted", "channel command", "decrypted ssl", "runtime process", "appdata", "windows nt", "svg scalable", "patch", "internal", "core", "high", "tcp syn", "icmp traffic", "dns query", "av detections", "ashburn", "ai device id", "telnet", "windows script", "microsoft", "host", "yara detections", "pdb path", "pe resource", "script host", "test", "hostname add", "files ip", "domains", "hashes", "ireland", "mtb jun", "mtb may", "device local", "remotewd", "nemtih", "url add", "http", "hostname", "files domain", "files related", "pulses otx", "present jul", "domain add", "colorado", "quasi", "contracts", "botnet", "remote access", "virginia", "c++", "hacking", "monitored target", "silencing campaign", "audio recording", "cameras", "full service", "tactics" ], "references": [ "Handled by Lumen Technologies | What kind of darkness is this?", "https://myhpnmedicaid.com/Looking-For-A-Plan/Enroll https://myhpnmedicaid.com/Provider", "dev.myhpnmedicaid.com", "ELF:Mirai-ATI | United Healthcare Dark? | https://otx.alienvault.com/indicator/ip/205.132.162.113", "https://hybrid-analysis.com/sample/e439d3dd3d943ecc702d12998a32e15c00008a8f276e6c89cb54f6de43f36de8/689fccb81c4f237eb6009b0f", "https://hybrid-analysis.com/sample/f095ee58f390749315e72cfa46d979cb25a15884b66c7951719c844ebc82b3a3/689fcc753aca4827cd036851", "https://hybrid-analysis.com/sample/dd09e575e6dfa77f081bf0014b2494e02f90cb23723fbb35d6b2a92e7c629920/689fcc40b786f8eaa20534b5", "Primary Request aspnet dotnet.microsoft.com/en-us/apps/ Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/ https://dotnet.microsoft.com/en-us/apps/aspnet", "Redirect Chain http://asp.net/ https://asp.net/ https://www.asp.net/", "https://dotnet.microsoft.com/en-us/apps/aspnet", "ASP.net - Hack Together: Mar 1-15 Join the hack. Build an app with NET & Microsoft Graph for a\u2026 .", "ASP.net - chance to win prizes! \u53e3\u3001\u4ecb\u5973\u8fa3 All Microsoft Learn more ASP.NET Free. Cross-platform\u2026.", "ASP.net Open source. A framework for building web apps and services with .NET and C#", "Registrant Org: Japan Computer Emergency Response Team Coordination Center", "Interesting: unitedhealthcare cdn.member.unitedhealthcare.com \u2022 data.aca.unitedhealthcare.com \u2022 data.member.unitedhealthcare.com", "Interesting Domain Tactics: https://click.benefits.unitedhealthcare.com/", "Interesting: dev-optum-dataintelligence.com \u2022 optumcoding.xxx \u2022 optuminsightcoding.xxx \u2022 optumrx.xxx", "Interesting: memberforms.optumrx.com \u2022 myoptum.info \u2022 optumrx.com \u2022 cte-scl.new.optumrx.com \u2022 dev-scl.optumrx.com", "http://www.nexcentra.com/fox-news-faces-another-sexual-harassment-lawsuit" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Trojan:Win32/Daws", "display_name": "Trojan:Win32/Daws", "target": "/malware/Trojan:Win32/Daws" }, { "id": "ELF:Mirai-ATI", "display_name": "ELF:Mirai-ATI", "target": null }, { "id": "Trojan:Win32/IRCbot", "display_name": "Trojan:Win32/IRCbot", "target": "/malware/Trojan:Win32/IRCbot" }, { "id": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "alf:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1092", "name": "Communication Through Removable Media", "display_name": "T1092 - Communication Through Removable Media" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" } ], "industries": [ "Technology", "Telecommunications", "Contracts", "Government", "Finance", "Insurance", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4880, "domain": 575, "hostname": 1419, "FileHash-SHA256": 1745, "FileHash-MD5": 284, "FileHash-SHA1": 263, "email": 5, "CVE": 1 }, "indicator_count": 9172, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893eee9bf1b30e08d1a6d8e", "name": "Ransom:Win32/CVE - Denver \u2022 Community Lifestyle Neighborhood", "description": "*Ransom:Win32/CVE - * Win.Dropper.Stone-9856966-0,\nDenver \u2022 Community Lifestyle Neighborhood. \nCorporate & Leasing Office corrupted with spyware. There is a single verified monitored target. All technology devices corrupted, at least 2 phones monitored, YouTube is courtesy of hackers. Several in person and phone investigations, staff change and they know nothing about leasing apartments, townhomes , etiquette, poor communication. Target also investigated. It appears to be harassment, intimidation and monitoring for unspecified reasons. The parking lot is stacked with obvious people sitting in their vehicles for hours. It\u2019s unclear if the staffing change is legitimate or part of an investigation.", "modified": "2025-09-05T23:02:52.811000", "created": "2025-08-07T00:10:17.696000", "tags": [ "address google", "safe browsing", "united", "typeof", "passive dns", "body doctype", "nreum", "date", "gmt server", "apache x", "cnection", "content type", "span", "ok transfer", "encoding", "x powered", "unknown soa", "unknown ns", "showing", "entries", "next associated", "urls show", "body", "encrypt", "search", "ip address", "creation date", "record value", "present jul", "present may", "present apr", "certificate", "present aug", "present feb", "present dec", "present nov", "error", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "mitre att", "show technique", "ck matrix", "pattern match", "ascii text", "august", "hybrid", "general", "local", "path", "click", "strings", "itre att", "accept", "sha256", "size", "type data", "utf8 text", "document file", "flag", "server", "european union", "name server", "tor analysis", "dns requests", "domain address", "ii llc", "windir", "openurl c", "prefetch2", "show process", "ogoogle trust", "network traffic", "organization", "elton avundano", "object", "title object", "header http2", "returnurl", "texas", "rsa ov", "ssl ca", "status", "australia", "netherlands", "urls", "gmt path", "hostname add", "pulse submit", "present oct", "e safe", "results jul", "response ip", "present jan", "name servers", "verdict", "domain", "files ip", "address domain", "xhr start", "xhr load", "aaaa", "read c", "show", "port", "destination", "high", "delete", "outbound m3", "copy", "write", "persistence", "execution", "malware", "generic", "unknown", "present mar", "dynamicloader", "wine emulator", "dynamic", "medium", "read", "associated urls", "date checked", "url hostname", "server response", "google safe", "dnssec", "domain name", "solutions", "llc status", "next passive", "dns status", "hostname query", "files show", "date hash", "avast avg", "overview ip", "address", "related nids", "files location", "flag united", "hostname", "files domain", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "virtool", "win64", "defense evasion", "t1480 execution", "file defense", "null", "refresh", "tools", "look", "verify", "restart", "file discovery", "utf8", "crlf line", "a domains", "script urls", "link", "unknown aaaa", "meta", "atom", "results jan", "present", "present sep", "akamai", "asn as16625", "less whois", "registrar", "http", "france flag", "france hostname", "files related", "url analysis", "files", "location france", "detailed error", "sec ch", "ch ua", "ua full", "ua platform", "moved", "name", "perfect privacy", "error jul", "next related", "domains show", "domain related", "url add", "pulse pulses", "hosting", "reverse dns", "france asn", "as16276", "dns resolutions", "datacenter", "regopenkeyexa", "regsetvalueexa", "windows nt", "regdword", "hostile", "service", "delphi", "next", "pulses none", "related tags", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "review", "data upload", "extraction", "khtml", "gecko", "olet", "cnlet", "tlsv1", "hacktool", "push", "ms windows", "intel", "pe32", "users", "precreate read", "ransom", "code", "installer", "june", "media", "autorun", "next yara", "detections name", "aspackv2xxx", "eu alexey", "alerts", "pe file", "filehash", "sha256 add", "av detections", "ids detections", "yara detections", "analysis date", "april", "packing t1045", "t1045", "t1060", "registry run", "keys", "user execution", "icmp traffic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1132, "URL": 6245, "hostname": 2264, "FileHash-SHA256": 1857, "FileHash-SHA1": 491, "email": 9, "FileHash-MD5": 573, "SSLCertFingerprint": 16 }, "indicator_count": 12587, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68743733a69ce827f6156f5c", "name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy", "description": "", "modified": "2025-07-13T22:46:11.685000", "created": "2025-07-13T22:46:11.685000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "279 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664b74b2683dec84891aef96", "name": "PrivateLoader is a malware with a module structure that has the capability is to download and execute one or several payloads", "description": "http://185.172.128.69/batushka/inte.exe \nhttp://185.172.128.69/allnewumm.exe\nhttp://185.172.128.69/brandumma.exe\nhttp://185.172.128.69/files\nhttp://185.172.128.69/files/US.file\nhttp://185.172.128.69/latestumma.exe\nhttp://185.172.128.69/newumma.exe\nhttp://185.172.128.69/sekundumma.exe\nhttp://185.172.128.69/ummanew.exe", "modified": "2024-10-14T20:36:05.361000", "created": "2024-05-20T16:05:06.313000", "tags": [ "stdin via", "nextron", "powershell id", "powershell", "tim rauch", "elastic", "script block", "logging", "pe32", "ms windows", "intel", "nazwa typ", "md5 nazwa", "procesu" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7268, "domain": 1310, "URL": 8101, "FileHash-SHA1": 1615, "hostname": 2590, "FileHash-MD5": 1852, "email": 267, "SSLCertFingerprint": 3, "CIDR": 38, "CVE": 7, "IPv4": 15, "YARA": 4 }, "indicator_count": 23070, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://staging.crmdynint.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://staging.crmdynint.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776615403.762365 }