{ "type": "URL", "indicator": "https://staging.widevine.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://staging.widevine.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3776273825, "indicator": "https://staging.widevine.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "654 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a836104ede1963b0502042", "name": "Not even Google", "description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com", "modified": "2024-02-16T17:02:44.115000", "created": "2024-01-17T20:18:24.316000", "tags": [ "ssl certificate", "threat roundup", "whois record", "march", "october", "contacted", "july", "april", "june", "roundup", "august", "copy", "execution", "plugx", "goldfinder", "sibot", "hacktool", "february", "ransomexx", "ermac", "emotet", "agent tesla", "nokoyawa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1315, "URL": 1384, "domain": 327, "hostname": 516, "FileHash-MD5": 19, "FileHash-SHA1": 19 }, "indicator_count": 3580, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b0fd1ac7cb4d83834db1f", "name": "Botnet Command and Control Server | Malware Distribution Site", "description": "", "modified": "2024-02-06T20:02:52.205000", "created": "2024-01-07T20:55:45.006000", "tags": [ "passive dns", "urls", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "status code", "body", "httponly", "ssl certificate", "historical ssl", "whois record", "parent referrer", "whois whois", "communicating", "contacted", "contacted urls", "bundled", "pe resource", "dropped", "army", "machinename", "execution", "referrer", "malware distribution site", "phishing dropbox", "evasive", "banker", "dde", "dridex", "exploit", "dyre", "dyreza", "ransomware", "mydoom", "backdoor", "svg", "phising", "locky", "e-mail provider phishing", "spear phishing", "retefe", "defacement", "phishing development bank of singapore", "banjori", "suppobox", "zeus", "pony", "solar", "ransomware locky distribution site", "nymaim", "shade", "troldesh", "tvrat", "zbot", "elocky", "wisdomeyes", "kryptic", "sinkhole", "exploit", "worm", "backdoor", "injector", "botnet command and control server", "unknown", "domain", "creation date", "search", "date", "hostname", "next", "all search", "otx octoseek", "united", "as13335", "ipv4", "pulse submit", "url analysis", "iocs", "ioc search", "new ioc", "teams api", "contact", "files", "nxdomain", "win32", "meta", "wabot", "gmt contenttype", "dnssec", "name", "win32 exe", "detections file", "file size", "kb file", "domains", "registrar", "markmonitor inc", "status", "susp", "expiration date", "name servers", "domain related", "entries", "johnnsabey", "m. brian sabey", "mark sabey", "sabey data center", "utah", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "problems", "alienvault part", "kgs0", "kls0", "schema abuse", "sneaky server", "iframe", "apple", "data collection" ], "references": [ "http://security.didici.cc/cve" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "virus.virlock/nabucur", "display_name": "virus.virlock/nabucur", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null }, { "id": "Banjori", "display_name": "Banjori", "target": null }, { "id": "Trojan.AvsEtecer", "display_name": "Trojan.AvsEtecer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "TV RAT", "display_name": "TV RAT", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Dyre", "display_name": "Dyre", "target": null }, { "id": "ELocky", "display_name": "ELocky", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Locky (Decryptor)", "display_name": "Locky (Decryptor)", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Gen:Variant.Strictor", "display_name": "Gen:Variant.Strictor", "target": null }, { "id": "Adware.BrowseFox", "display_name": "Adware.BrowseFox", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "MSIL_Kryptik.P.gen", "display_name": "MSIL_Kryptik.P.gen", "target": null }, { "id": "pykspa_v2_fake", "display_name": "pykspa_v2_fake", "target": null }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "TEL:Exploit:Win32/Sinkers", "display_name": "TEL:Exploit:Win32/Sinkers", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA256": 3121, "URL": 4225, "domain": 1725, "hostname": 1416, "FileHash-SHA1": 225, "CVE": 2, "email": 3 }, "indicator_count": 10948, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48ab7cd0bd218b17ccf6c", "name": "Botnet Command and Control Server | Malware", "description": "", "modified": "2024-02-06T20:02:52.205000", "created": "2024-01-15T01:30:31.655000", "tags": [ "passive dns", "urls", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "status code", "body", "httponly", "ssl certificate", "historical ssl", "whois record", "parent referrer", "whois whois", "communicating", "contacted", "contacted urls", "bundled", "pe resource", "dropped", "army", "machinename", "execution", "referrer", "malware distribution site", "phishing dropbox", "evasive", "banker", "dde", "dridex", "exploit", "dyre", "dyreza", "ransomware", "mydoom", "backdoor", "svg", "phising", "locky", "e-mail provider phishing", "spear phishing", "retefe", "defacement", "phishing development bank of singapore", "banjori", "suppobox", "zeus", "pony", "solar", "ransomware locky distribution site", "nymaim", "shade", "troldesh", "tvrat", "zbot", "elocky", "wisdomeyes", "kryptic", "sinkhole", "exploit", "worm", "backdoor", "injector", "botnet command and control server", "unknown", "domain", "creation date", "search", "date", "hostname", "next", "all search", "otx octoseek", "united", "as13335", "ipv4", "pulse submit", "url analysis", "iocs", "ioc search", "new ioc", "teams api", "contact", "files", "nxdomain", "win32", "meta", "wabot", "gmt contenttype", "dnssec", "name", "win32 exe", "detections file", "file size", "kb file", "domains", "registrar", "markmonitor inc", "status", "susp", "expiration date", "name servers", "domain related", "entries", "johnnsabey", "m. brian sabey", "mark sabey", "sabey data center", "utah", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "problems", "alienvault part", "kgs0", "kls0", "schema abuse", "sneaky server", "iframe", "apple", "data collection" ], "references": [ "http://security.didici.cc/cve" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "virus.virlock/nabucur", "display_name": "virus.virlock/nabucur", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null }, { "id": "Banjori", "display_name": "Banjori", "target": null }, { "id": "Trojan.AvsEtecer", "display_name": "Trojan.AvsEtecer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "TV RAT", "display_name": "TV RAT", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Dyre", "display_name": "Dyre", "target": null }, { "id": "ELocky", "display_name": "ELocky", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Locky (Decryptor)", "display_name": "Locky (Decryptor)", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Gen:Variant.Strictor", "display_name": "Gen:Variant.Strictor", "target": null }, { "id": "Adware.BrowseFox", "display_name": "Adware.BrowseFox", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "MSIL_Kryptik.P.gen", "display_name": "MSIL_Kryptik.P.gen", "target": null }, { "id": "pykspa_v2_fake", "display_name": "pykspa_v2_fake", "target": null }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "TEL:Exploit:Win32/Sinkers", "display_name": "TEL:Exploit:Win32/Sinkers", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" } ], "industries": [], "TLP": "white", "cloned_from": "659b0fd1ac7cb4d83834db1f", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA256": 3121, "URL": 4225, "domain": 1725, "hostname": 1416, "FileHash-SHA1": 225, "CVE": 2, "email": 3 }, "indicator_count": 10948, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653bf3b076e4dbcd0c099992", "name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration", "description": "DeepScan run (absolute overkill). I witnessed excessive data use, device is completely practically unusable, many black pages, denial of most services. CNC. Browser bar became a malicious app that returns 0 searches. Attack directed towards my devices.\nNo stone left unturned. Passwords taken. Apps installed to device Covered can on device takes pictures/flash at will. Evasive. Very talented hackers. \nBravo! Very intrusive. Constantly attacking.\nTarget: Tsara Brashears and researcher", "modified": "2023-11-26T14:04:04.692000", "created": "2023-10-27T17:30:24.926000", "tags": [ "ssl certificate", "historical ssl", "resolutions", "referrer", "collections", "contacted", "efr1", "parent domain", "amazon 02", "metro", "crypto", "cisco umbrella", "site", "safe site", "heur", "malware", "alexa top", "million", "malicious url", "malware site", "malicious site", "opencandy", "riskware", "unsafe", "phishing", "zbot", "team", "exploit", "agent", "mimikatz", "azorult", "service", "runescape", "facebook", "bank", "download", "downldr", "presenoker", "fusioncore", "cleaner", "wacatac", "artemis", "blacknet rat", "stealer", "trojanspy", "blacklist https", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag count", "tsara brashears", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "whois record", "contacted urls", "siblings domain", "execution", "goldmax", "goldfinder", "sibot", "emotet", "united", "phishing site", "maltiverse", "adware", "phishtank", "xtrat", "xrat", "redline stealer", "xtreme", "crack", "genkryptik", "deepscan", "win64", "quasar rat", "fareit", "downloader", "trojan", "alexa", "iframe", "cve201711882", "phish", "genpack", "suspicious", "magazine", "applicunwnt", "cobalt strike", "malicious", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "ascii text", "mitre att", "ck id", "date", "unknown", "hybrid", "accept", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "pmejdjsu12", "Royal Bank of Scotland", "Phishing Bank of America Corporation", "Phishing Netflix", "Phishing Wells Fargo", "Phishing RuneScape", "Phishing Internal Revenue Service", "Phtarget unspecified phishing", "PAYPAL phishing", "Phishing Indeed", "Phishing eBay, Inc", "PhisSafe", "mobigame", "Phishing Facebook", "remote", "mitm", "tower", "worm", "firm", "privilege", "attacker", "monitoring", "cyber threat", "apple", "illegal", "DNS_PROBE_STARTED", "insurance", "revenge", "legal entities", "https://boxofporn.com" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan.Hotkeychick", "display_name": "Trojan.Hotkeychick", "target": null }, { "id": "CVE Exploits", "display_name": "CVE Exploits", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Virus.Sality", "display_name": "Virus.Sality", "target": null }, { "id": "W32.Malware", "display_name": "W32.Malware", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "Trojan.OTNR", "display_name": "Trojan.OTNR", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "Downloader.OpenCandy", "display_name": "Downloader.OpenCandy", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "GoogleToolbar", "display_name": "GoogleToolbar", "target": null }, { "id": "BScope.Adware.MSIL", "display_name": "BScope.Adware.MSIL", "target": null }, { "id": "Application.Auslogics", "display_name": "Application.Auslogics", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Gen:Variant.Application.Bundler.DownloadGuide", "display_name": "Gen:Variant.Application.Bundler.DownloadGuide", "target": null }, { "id": "Trojan:Win32/Xtrat", "display_name": "Trojan:Win32/Xtrat", "target": "/malware/Trojan:Win32/Xtrat" }, { "id": "Xtreme RAT", "display_name": "Xtreme RAT", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null }, { "id": "AGEN.1045143", "display_name": "AGEN.1045143", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Packed.Themida", "display_name": "Packed.Themida", "target": null }, { "id": "MSIL_Bladabindi.G.gen", "display_name": "MSIL_Bladabindi.G.gen", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Unsafe.AI_Score_95% 2", "display_name": "Unsafe.AI_Score_95% 2", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "JS:Trojan.HideLink 2", "display_name": "JS:Trojan.HideLink 2", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Application.BitCoinMiner", "display_name": "Application.BitCoinMiner", "target": null }, { "id": "WebToolbar.Asparnet", "display_name": "WebToolbar.Asparnet", "target": null }, { "id": "W32.HfsAutoB", "display_name": "W32.HfsAutoB", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Application.Deceptor", "display_name": "Application.Deceptor", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "HEUR:Hoax.PCFixer", "display_name": "HEUR:Hoax.PCFixer", "target": null }, { "id": "Gen:Variant.Jacard", "display_name": "Gen:Variant.Jacard", "target": null }, { "id": "Tool.Patcher", "display_name": "Tool.Patcher", "target": null }, { "id": "Trojan.Khalesi 2\tAdware 2", "display_name": "Trojan.Khalesi 2\tAdware 2", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Unsafe.AI_Score_94%", "display_name": "Unsafe.AI_Score_94%", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Warezov.gen3", "display_name": "Warezov.gen3", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Nemucod.21C8", "display_name": "Nemucod.21C8", "target": null }, { "id": "Asparnet.P", "display_name": "Asparnet.P", "target": null }, { "id": "InstallCore.Gen7", "display_name": "InstallCore.Gen7", "target": null }, { "id": "CsQKHtaAI", "display_name": "CsQKHtaAI", "target": null }, { "id": "Clicker.VB", "display_name": "Clicker.VB", "target": null }, { "id": "Exploit.Zip.Heuristic", "display_name": "Exploit.Zip.Heuristic", "target": null }, { "id": "Trojan.Ransom.GandCrab", "display_name": "Trojan.Ransom.GandCrab", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "ScrInject.eric", "display_name": "ScrInject.eric", "target": null }, { "id": "HEUR:Trojan.Diztakun", "display_name": "HEUR:Trojan.Diztakun", "target": null }, { "id": "Agent.OCJ", "display_name": "Agent.OCJ", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "Hacktool.Crack", "display_name": "Hacktool.Crack", "target": null }, { "id": "Backdoor.DTR.15", "display_name": "Backdoor.DTR.15", "target": null }, { "id": "Freemake.A potentially unwanted", "display_name": "Freemake.A potentially unwanted", "target": null }, { "id": "Absolute Uninstaller", "display_name": "Absolute Uninstaller", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "Trojan.Small", "display_name": "Trojan.Small", "target": null }, { "id": "HackTool.Crack", "display_name": "HackTool.Crack", "target": null }, { "id": "Generic.Application.JS.Sobrab.1", "display_name": "Generic.Application.JS.Sobrab.1", "target": null }, { "id": "Trojan.Rozena", "display_name": "Trojan.Rozena", "target": null }, { "id": "Trojan.Downloader", "display_name": "Trojan.Downloader", "target": null }, { "id": "Trojan.Bayrob", "display_name": "Trojan.Bayrob", "target": null }, { "id": "Adware.OxyPumper", "display_name": "Adware.OxyPumper", "target": null }, { "id": "Worm.Chir", "display_name": "Worm.Chir", "target": null }, { "id": "Trojan.Linux.Generic", "display_name": "Trojan.Linux.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Heur.BZC.YAX.Boxter.819", "display_name": "Heur.BZC.YAX.Boxter.819", "target": null }, { "id": "Faceliker.D", "display_name": "Faceliker.D", "target": null }, { "id": "Adware", "display_name": "Adware", "target": null }, { "id": "DeepScan:Generic.BrResMon.1", "display_name": "DeepScan:Generic.BrResMon.1", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "Trojan.Brsecmon", "display_name": "Trojan.Brsecmon", "target": null }, { "id": "SigRiskware.LespeedTechnologyLtd", "display_name": "SigRiskware.LespeedTechnologyLtd", "target": null }, { "id": "Doplik.J", "display_name": "Doplik.J", "target": null }, { "id": "Backdoor.Nhopro", "display_name": "Backdoor.Nhopro", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "Gen:NN.ZemsilF.32515", "display_name": "Gen:NN.ZemsilF.32515", "target": null }, { "id": "Downware", "display_name": "Downware", "target": null }, { "id": "MxResIcn.Heur", "display_name": "MxResIcn.Heur", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "Magazine phishing", "display_name": "Magazine phishing", "target": null }, { "id": "ApplicUnwnt@#2n6\tIRS", "display_name": "ApplicUnwnt@#2n6\tIRS", "target": null }, { "id": "TEL:Trojan:HTML/Phishing", "display_name": "TEL:Trojan:HTML/Phishing", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Trojan.GandCrypt", "display_name": "Trojan.GandCrypt", "target": null }, { "id": "Redirector.AN", "display_name": "Redirector.AN", "target": null }, { "id": "Agent.CUX.gen", "display_name": "Agent.CUX.gen", "target": null }, { "id": "Gen:Variant.Application.Bundler", "display_name": "Gen:Variant.Application.Bundler", "target": null }, { "id": "Downloader.Generic", "display_name": "Downloader.Generic", "target": null }, { "id": "Trojan.ClipBanker", "display_name": "Trojan.ClipBanker", "target": null }, { "id": "TrojanDropper.Autit", "display_name": "TrojanDropper.Autit", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "QVM05.1.08E5.Malware", "display_name": "QVM05.1.08E5.Malware", "target": null }, { "id": "Trojan.CookiesStealer", "display_name": "Trojan.CookiesStealer", "target": null }, { "id": "Agent.MU", "display_name": "Agent.MU", "target": null }, { "id": "Wacatac.B", "display_name": "Wacatac.B", "target": null }, { "id": "Dropper.Gen", "display_name": "Dropper.Gen", "target": null }, { "id": "WiseCleaner.A potentially unwanted", "display_name": "WiseCleaner.A potentially unwanted", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Gen:NN.ZemsilF.34170", "display_name": "Gen:NN.ZemsilF.34170", "target": null }, { "id": "Gen:Variant.MSILHeracles", "display_name": "Gen:Variant.MSILHeracles", "target": null }, { "id": "Trojan.DownLoader33", "display_name": "Trojan.DownLoader33", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Program.Freemake", "display_name": "Program.Freemake", "target": null }, { "id": "Kryptik.dawvk", "display_name": "Kryptik.dawvk", "target": null }, { "id": "AdwareSig [Adw]", "display_name": "AdwareSig [Adw]", "target": null }, { "id": "Phishing JPMorgan Chase and Co.", "display_name": "Phishing JPMorgan Chase and Co.", "target": null }, { "id": "Adware.BrowseFoxCRTD", "display_name": "Adware.BrowseFoxCRTD", "target": null }, { "id": "Suspici.1F4405D1", "display_name": "Suspici.1F4405D1", "target": null }, { "id": "PUA.Wombat", "display_name": "PUA.Wombat", "target": null }, { "id": "AdWare.DealPly", "display_name": "AdWare.DealPly", "target": null }, { "id": "Injector.CUAM", "display_name": "Injector.CUAM", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "Troj_Gen.F04IE00CI19", "display_name": "Troj_Gen.F04IE00CI19", "target": null }, { "id": "Worm.Autorun", "display_name": "Worm.Autorun", "target": null }, { "id": "Worm.Boychi", "display_name": "Worm.Boychi", "target": null }, { "id": "Worm.Allaple", "display_name": "Worm.Allaple", "target": null }, { "id": "CVE-2014-3153", "display_name": "CVE-2014-3153", "target": null }, { "id": "BehavesLike.ICLoader", "display_name": "BehavesLike.ICLoader", "target": null }, { "id": "BScope.Backdoor", "display_name": "BScope.Backdoor", "target": null }, { "id": "Trojan.WIN32.PDF.Alien", "display_name": "Trojan.WIN32.PDF.Alien", "target": null }, { "id": "PUP.Systweak", "display_name": "PUP.Systweak", "target": null }, { "id": "Sabsik.FL.B", "display_name": "Sabsik.FL.B", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Gen:Variant.Tedy HackTool.VulnDriver", "display_name": "Gen:Variant.Tedy HackTool.VulnDriver", "target": null }, { "id": "Backdoor.Predator", "display_name": "Backdoor.Predator", "target": null }, { "id": "Kryptik.GKQR", "display_name": "Kryptik.GKQR", "target": null }, { "id": "DarkKomet.ife", "display_name": "DarkKomet.ife", "target": null }, { "id": "BehavesLike.Downloader", "display_name": "BehavesLike.Downloader", "target": null }, { "id": "Trojan.JS.Iframe", "display_name": "Trojan.JS.Iframe", "target": null }, { "id": "InstallCore.NP", "display_name": "InstallCore.NP", "target": null }, { "id": "Generic.JS.BlackHole", "display_name": "Generic.JS.BlackHole", "target": null }, { "id": "Dropper.Wanna", "display_name": "Dropper.Wanna", "target": null }, { "id": "Remote Utilities", "display_name": "Remote Utilities", "target": null }, { "id": "W32.InstallCore.AGX", "display_name": "W32.InstallCore.AGX", "target": null }, { "id": "NetTool.RemoteExec", "display_name": "NetTool.RemoteExec", "target": null }, { "id": "Bondat.A", "display_name": "Bondat.A", "target": null }, { "id": "VM201.0.B70B.Malware", "display_name": "VM201.0.B70B.Malware", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "Infected.WebPage", "display_name": "Infected.WebPage", "target": null }, { "id": "HEUR:Exploit.Script", "display_name": "HEUR:Exploit.Script", "target": null }, { "id": "BScope.TrojanDownloader", "display_name": "BScope.TrojanDownloader", "target": null }, { "id": "HTML:RedirBA", "display_name": "HTML:RedirBA", "target": null }, { "id": "Trojan.BAT.Qhost", "display_name": "Trojan.BAT.Qhost", "target": null }, { "id": "HTML:RedirME", "display_name": "HTML:RedirME", "target": null }, { "id": "TrojWare.JS.AdWare.Agent", "display_name": "TrojWare.JS.AdWare.Agent", "target": null }, { "id": "Packed.Dico", "display_name": "Packed.Dico", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1602.001", "name": "SNMP (MIB Dump)", "display_name": "T1602.001 - SNMP (MIB Dump)" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1695, "FileHash-SHA1": 756, "FileHash-SHA256": 2029, "domain": 290, "URL": 1854, "hostname": 568, "CVE": 5 }, "indicator_count": 7197, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "916 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f09785f9ee8aebca2a667", "name": "Remote Access | DeepScan | Dumping | DNS | Internal System Infiltration", "description": "", "modified": "2023-11-26T14:04:04.692000", "created": "2023-10-30T01:40:08.022000", "tags": [ "ssl certificate", "historical ssl", "resolutions", "referrer", "collections", "contacted", "efr1", "parent domain", "amazon 02", "metro", "crypto", "cisco umbrella", "site", "safe site", "heur", "malware", "alexa top", "million", "malicious url", "malware site", "malicious site", "opencandy", "riskware", "unsafe", "phishing", "zbot", "team", "exploit", "agent", "mimikatz", "azorult", "service", "runescape", "facebook", "bank", "download", "downldr", "presenoker", "fusioncore", "cleaner", "wacatac", "artemis", "blacknet rat", "stealer", "trojanspy", "blacklist https", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag count", "tsara brashears", "self", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "whois record", "contacted urls", "siblings domain", "execution", "goldmax", "goldfinder", "sibot", "emotet", "united", "phishing site", "maltiverse", "adware", "phishtank", "xtrat", "xrat", "redline stealer", "xtreme", "crack", "genkryptik", "deepscan", "win64", "quasar rat", "fareit", "downloader", "trojan", "alexa", "iframe", "cve201711882", "phish", "genpack", "suspicious", "magazine", "applicunwnt", "cobalt strike", "malicious", "pattern match", "file", "web open", "font format", "truetype", "indicator", "windows nt", "ascii text", "mitre att", "ck id", "date", "unknown", "hybrid", "accept", "local", "stream", "click", "strings", "class", "generator", "critical", "error", "pmejdjsu12", "Royal Bank of Scotland", "Phishing Bank of America Corporation", "Phishing Netflix", "Phishing Wells Fargo", "Phishing RuneScape", "Phishing Internal Revenue Service", "Phtarget unspecified phishing", "PAYPAL phishing", "Phishing Indeed", "Phishing eBay, Inc", "PhisSafe", "mobigame", "Phishing Facebook", "remote", "mitm", "tower", "worm", "firm", "privilege", "attacker", "monitoring", "cyber threat", "apple", "illegal", "DNS_PROBE_STARTED", "insurance", "revenge", "legal entities", "https://boxofporn.com" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan.Hotkeychick", "display_name": "Trojan.Hotkeychick", "target": null }, { "id": "CVE Exploits", "display_name": "CVE Exploits", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Generic.ASMalwS", "display_name": "Generic.ASMalwS", "target": null }, { "id": "HackTool.CheatEngine", "display_name": "HackTool.CheatEngine", "target": null }, { "id": "HackTool.BruteForce", "display_name": "HackTool.BruteForce", "target": null }, { "id": "Virus.Sality", "display_name": "Virus.Sality", "target": null }, { "id": "W32.Malware", "display_name": "W32.Malware", "target": null }, { "id": "TSGeneric", "display_name": "TSGeneric", "target": null }, { "id": "Trojan.OTNR", "display_name": "Trojan.OTNR", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax - S0588", "display_name": "GoldMax - S0588", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "Downloader.OpenCandy", "display_name": "Downloader.OpenCandy", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "GoogleToolbar", "display_name": "GoogleToolbar", "target": null }, { "id": "BScope.Adware.MSIL", "display_name": "BScope.Adware.MSIL", "target": null }, { "id": "Application.Auslogics", "display_name": "Application.Auslogics", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Gen:Variant.Application.Bundler.DownloadGuide", "display_name": "Gen:Variant.Application.Bundler.DownloadGuide", "target": null }, { "id": "Trojan:Win32/Xtrat", "display_name": "Trojan:Win32/Xtrat", "target": "/malware/Trojan:Win32/Xtrat" }, { "id": "Xtreme RAT", "display_name": "Xtreme RAT", "target": null }, { "id": "ML.Attribute", "display_name": "ML.Attribute", "target": null }, { "id": "AGEN.1045143", "display_name": "AGEN.1045143", "target": null }, { "id": "Hoax.DeceptPCClean", "display_name": "Hoax.DeceptPCClean", "target": null }, { "id": "Packed.Themida", "display_name": "Packed.Themida", "target": null }, { "id": "MSIL_Bladabindi.G.gen", "display_name": "MSIL_Bladabindi.G.gen", "target": null }, { "id": "Gen:NN.ZexaF.34090", "display_name": "Gen:NN.ZexaF.34090", "target": null }, { "id": "Unsafe.AI_Score_95% 2", "display_name": "Unsafe.AI_Score_95% 2", "target": null }, { "id": "BScope.Trojan", "display_name": "BScope.Trojan", "target": null }, { "id": "JS:Trojan.HideLink 2", "display_name": "JS:Trojan.HideLink 2", "target": null }, { "id": "Gen:Variant.Symmi", "display_name": "Gen:Variant.Symmi", "target": null }, { "id": "Gen:Heur.MSIL.Inject", "display_name": "Gen:Heur.MSIL.Inject", "target": null }, { "id": "Application.BitCoinMiner", "display_name": "Application.BitCoinMiner", "target": null }, { "id": "WebToolbar.Asparnet", "display_name": "WebToolbar.Asparnet", "target": null }, { "id": "W32.HfsAutoB", "display_name": "W32.HfsAutoB", "target": null }, { "id": "Gen:Variant.Ursu", "display_name": "Gen:Variant.Ursu", "target": null }, { "id": "HW32.Packed", "display_name": "HW32.Packed", "target": null }, { "id": "Application.Deceptor", "display_name": "Application.Deceptor", "target": null }, { "id": "Backdoor.Androm", "display_name": "Backdoor.Androm", "target": null }, { "id": "HEUR:Hoax.PCFixer", "display_name": "HEUR:Hoax.PCFixer", "target": null }, { "id": "Gen:Variant.Jacard", "display_name": "Gen:Variant.Jacard", "target": null }, { "id": "Tool.Patcher", "display_name": "Tool.Patcher", "target": null }, { "id": "Trojan.Khalesi 2\tAdware 2", "display_name": "Trojan.Khalesi 2\tAdware 2", "target": null }, { "id": "RiskWare.HackTool.Agent", "display_name": "RiskWare.HackTool.Agent", "target": null }, { "id": "Unsafe.AI_Score_94%", "display_name": "Unsafe.AI_Score_94%", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "RiskWare.Crack", "display_name": "RiskWare.Crack", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "VB:Trojan.Valyria", "display_name": "VB:Trojan.Valyria", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Warezov.gen3", "display_name": "Warezov.gen3", "target": null }, { "id": "JS:Trojan.Clicker", "display_name": "JS:Trojan.Clicker", "target": null }, { "id": "Nemucod.21C8", "display_name": "Nemucod.21C8", "target": null }, { "id": "Asparnet.P", "display_name": "Asparnet.P", "target": null }, { "id": "InstallCore.Gen7", "display_name": "InstallCore.Gen7", "target": null }, { "id": "CsQKHtaAI", "display_name": "CsQKHtaAI", "target": null }, { "id": "Clicker.VB", "display_name": "Clicker.VB", "target": null }, { "id": "Exploit.Zip.Heuristic", "display_name": "Exploit.Zip.Heuristic", "target": null }, { "id": "Trojan.Ransom.GandCrab", "display_name": "Trojan.Ransom.GandCrab", "target": null }, { "id": "ScrInject.B", "display_name": "ScrInject.B", "target": null }, { "id": "ScrInject.eric", "display_name": "ScrInject.eric", "target": null }, { "id": "HEUR:Trojan.Diztakun", "display_name": "HEUR:Trojan.Diztakun", "target": null }, { "id": "Agent.OCJ", "display_name": "Agent.OCJ", "target": null }, { "id": "Vdehu.A", "display_name": "Vdehu.A", "target": null }, { "id": "Hacktool.Crack", "display_name": "Hacktool.Crack", "target": null }, { "id": "Backdoor.DTR.15", "display_name": "Backdoor.DTR.15", "target": null }, { "id": "Freemake.A potentially unwanted", "display_name": "Freemake.A potentially unwanted", "target": null }, { "id": "Absolute Uninstaller", "display_name": "Absolute Uninstaller", "target": null }, { "id": "HTML:Script", "display_name": "HTML:Script", "target": null }, { "id": "Trojan.Small", "display_name": "Trojan.Small", "target": null }, { "id": "HackTool.Crack", "display_name": "HackTool.Crack", "target": null }, { "id": "Generic.Application.JS.Sobrab.1", "display_name": "Generic.Application.JS.Sobrab.1", "target": null }, { "id": "Trojan.Rozena", "display_name": "Trojan.Rozena", "target": null }, { "id": "Trojan.Downloader", "display_name": "Trojan.Downloader", "target": null }, { "id": "Trojan.Bayrob", "display_name": "Trojan.Bayrob", "target": null }, { "id": "Adware.OxyPumper", "display_name": "Adware.OxyPumper", "target": null }, { "id": "Worm.Chir", "display_name": "Worm.Chir", "target": null }, { "id": "Trojan.Linux.Generic", "display_name": "Trojan.Linux.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Heur.BZC.YAX.Boxter.819", "display_name": "Heur.BZC.YAX.Boxter.819", "target": null }, { "id": "Faceliker.D", "display_name": "Faceliker.D", "target": null }, { "id": "Adware", "display_name": "Adware", "target": null }, { "id": "DeepScan:Generic.BrResMon.1", "display_name": "DeepScan:Generic.BrResMon.1", "target": null }, { "id": "Adware.KuziTui", "display_name": "Adware.KuziTui", "target": null }, { "id": "Trojan.Brsecmon", "display_name": "Trojan.Brsecmon", "target": null }, { "id": "SigRiskware.LespeedTechnologyLtd", "display_name": "SigRiskware.LespeedTechnologyLtd", "target": null }, { "id": "Doplik.J", "display_name": "Doplik.J", "target": null }, { "id": "Backdoor.Nhopro", "display_name": "Backdoor.Nhopro", "target": null }, { "id": "TrojanBanker.Banbra", "display_name": "TrojanBanker.Banbra", "target": null }, { "id": "Gen:NN.ZemsilF.32515", "display_name": "Gen:NN.ZemsilF.32515", "target": null }, { "id": "Downware", "display_name": "Downware", "target": null }, { "id": "MxResIcn.Heur", "display_name": "MxResIcn.Heur", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "Magazine phishing", "display_name": "Magazine phishing", "target": null }, { "id": "ApplicUnwnt@#2n6\tIRS", "display_name": "ApplicUnwnt@#2n6\tIRS", "target": null }, { "id": "TEL:Trojan:HTML/Phishing", "display_name": "TEL:Trojan:HTML/Phishing", "target": null }, { "id": "DriverReviver.A potentially unwanted", "display_name": "DriverReviver.A potentially unwanted", "target": null }, { "id": "Trojan.GandCrypt", "display_name": "Trojan.GandCrypt", "target": null }, { "id": "Redirector.AN", "display_name": "Redirector.AN", "target": null }, { "id": "Agent.CUX.gen", "display_name": "Agent.CUX.gen", "target": null }, { "id": "Gen:Variant.Application.Bundler", "display_name": "Gen:Variant.Application.Bundler", "target": null }, { "id": "Downloader.Generic", "display_name": "Downloader.Generic", "target": null }, { "id": "Trojan.ClipBanker", "display_name": "Trojan.ClipBanker", "target": null }, { "id": "TrojanDropper.Autit", "display_name": "TrojanDropper.Autit", "target": null }, { "id": "Dropper.Trojan.Agent", "display_name": "Dropper.Trojan.Agent", "target": null }, { "id": "QVM05.1.08E5.Malware", "display_name": "QVM05.1.08E5.Malware", "target": null }, { "id": "Trojan.CookiesStealer", "display_name": "Trojan.CookiesStealer", "target": null }, { "id": "Agent.MU", "display_name": "Agent.MU", "target": null }, { "id": "Wacatac.B", "display_name": "Wacatac.B", "target": null }, { "id": "Dropper.Gen", "display_name": "Dropper.Gen", "target": null }, { "id": "WiseCleaner.A potentially unwanted", "display_name": "WiseCleaner.A potentially unwanted", "target": null }, { "id": "Gen:Heur.MSIL.Androm", "display_name": "Gen:Heur.MSIL.Androm", "target": null }, { "id": "Gen:NN.ZemsilF.34170", "display_name": "Gen:NN.ZemsilF.34170", "target": null }, { "id": "Gen:Variant.MSILHeracles", "display_name": "Gen:Variant.MSILHeracles", "target": null }, { "id": "Trojan.DownLoader33", "display_name": "Trojan.DownLoader33", "target": null }, { "id": "Trojan.MSIL", "display_name": "Trojan.MSIL", "target": null }, { "id": "Program.Freemake", "display_name": "Program.Freemake", "target": null }, { "id": "Kryptik.dawvk", "display_name": "Kryptik.dawvk", "target": null }, { "id": "AdwareSig [Adw]", "display_name": "AdwareSig [Adw]", "target": null }, { "id": "Phishing JPMorgan Chase and Co.", "display_name": "Phishing JPMorgan Chase and Co.", "target": null }, { "id": "Adware.BrowseFoxCRTD", "display_name": "Adware.BrowseFoxCRTD", "target": null }, { "id": "Suspici.1F4405D1", "display_name": "Suspici.1F4405D1", "target": null }, { "id": "PUA.Wombat", "display_name": "PUA.Wombat", "target": null }, { "id": "AdWare.DealPly", "display_name": "AdWare.DealPly", "target": null }, { "id": "Injector.CUAM", "display_name": "Injector.CUAM", "target": null }, { "id": "Downldr.gen", "display_name": "Downldr.gen", "target": null }, { "id": "Troj_Gen.F04IE00CI19", "display_name": "Troj_Gen.F04IE00CI19", "target": null }, { "id": "Worm.Autorun", "display_name": "Worm.Autorun", "target": null }, { "id": "Worm.Boychi", "display_name": "Worm.Boychi", "target": null }, { "id": "Worm.Allaple", "display_name": "Worm.Allaple", "target": null }, { "id": "CVE-2014-3153", "display_name": "CVE-2014-3153", "target": null }, { "id": "BehavesLike.ICLoader", "display_name": "BehavesLike.ICLoader", "target": null }, { "id": "BScope.Backdoor", "display_name": "BScope.Backdoor", "target": null }, { "id": "Trojan.WIN32.PDF.Alien", "display_name": "Trojan.WIN32.PDF.Alien", "target": null }, { "id": "PUP.Systweak", "display_name": "PUP.Systweak", "target": null }, { "id": "Sabsik.FL.B", "display_name": "Sabsik.FL.B", "target": null }, { "id": "malicious.f01f67", "display_name": "malicious.f01f67", "target": null }, { "id": "AGEN.1144657", "display_name": "AGEN.1144657", "target": null }, { "id": "Gen:Variant.Tedy HackTool.VulnDriver", "display_name": "Gen:Variant.Tedy HackTool.VulnDriver", "target": null }, { "id": "Backdoor.Predator", "display_name": "Backdoor.Predator", "target": null }, { "id": "Kryptik.GKQR", "display_name": "Kryptik.GKQR", "target": null }, { "id": "DarkKomet.ife", "display_name": "DarkKomet.ife", "target": null }, { "id": "BehavesLike.Downloader", "display_name": "BehavesLike.Downloader", "target": null }, { "id": "Trojan.JS.Iframe", "display_name": "Trojan.JS.Iframe", "target": null }, { "id": "InstallCore.NP", "display_name": "InstallCore.NP", "target": null }, { "id": "Generic.JS.BlackHole", "display_name": "Generic.JS.BlackHole", "target": null }, { "id": "Dropper.Wanna", "display_name": "Dropper.Wanna", "target": null }, { "id": "Remote Utilities", "display_name": "Remote Utilities", "target": null }, { "id": "W32.InstallCore.AGX", "display_name": "W32.InstallCore.AGX", "target": null }, { "id": "NetTool.RemoteExec", "display_name": "NetTool.RemoteExec", "target": null }, { "id": "Bondat.A", "display_name": "Bondat.A", "target": null }, { "id": "VM201.0.B70B.Malware", "display_name": "VM201.0.B70B.Malware", "target": null }, { "id": "Riskware.NetFilter", "display_name": "Riskware.NetFilter", "target": null }, { "id": "Infected.WebPage", "display_name": "Infected.WebPage", "target": null }, { "id": "HEUR:Exploit.Script", "display_name": "HEUR:Exploit.Script", "target": null }, { "id": "BScope.TrojanDownloader", "display_name": "BScope.TrojanDownloader", "target": null }, { "id": "HTML:RedirBA", "display_name": "HTML:RedirBA", "target": null }, { "id": "Trojan.BAT.Qhost", "display_name": "Trojan.BAT.Qhost", "target": null }, { "id": "HTML:RedirME", "display_name": "HTML:RedirME", "target": null }, { "id": "TrojWare.JS.AdWare.Agent", "display_name": "TrojWare.JS.AdWare.Agent", "target": null }, { "id": "Packed.Dico", "display_name": "Packed.Dico", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1602.001", "name": "SNMP (MIB Dump)", "display_name": "T1602.001 - SNMP (MIB Dump)" } ], "industries": [], "TLP": "white", "cloned_from": "653bf3b076e4dbcd0c099992", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1695, "FileHash-SHA1": 756, "FileHash-SHA256": 2029, "domain": 290, "URL": 1854, "hostname": 568, "CVE": 5 }, "indicator_count": 7197, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "916 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "training001.blackbagtech.com [opportunity?]", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "message.htm.com [ message stealer]", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "deviceinbox.com [malware hosting]", "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "http://security.didici.cc/cve", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "https://www.nsogroup.com", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Tracking: 8.8.4.4 [ NOT a false.positive]", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.youtube.com/watch?v=GyuMozsVyYs", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "https://tulach.cc/ [malware engineering | phishing]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "https://timersys.com/ [ phishing | deb opera.com]", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "nr-data.net [Apple Private Data Collection]", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group", "[Unnamed group]" ], "malware_families": [ "Sabsik.fl.b", "Application.auslogics", "Trojanbanker.banbra", "Tv rat", "Backdoor.androm", "Mxresicn.heur", "Adware.browsefox", "Trojan.avsetecer", "Scrinject.eric", "Trojware.js.adware.agent", "Trojan.msil.injurer.cbd", "Trojandownloader:win32/cutwail.bs", "Nymaim", "Trojan.win32.pdf.alien", "Driverreviver.a potentially unwanted", "Exploit.zip.heuristic", "Hacktool.cheatengine", "Behaveslike.icloader", "Trojan.cookiesstealer", "Gen:variant.ursu", "Injector.cuam", "Trojan:win32/scrarev.c", "Azorult", "Application.deceptor", "Sabey", "Msil_bladabindi.g.gen", "Trojan.brsecmon", "Remote utilities", "Html:script", "Html:redirba", "Adware", "Nettool.remoteexec", "Worm.boychi", "Trojan.khalesi 2\tadware 2", "Pe.heur", "Agen.1045143", "Absolute uninstaller", "Heur.bzc.yax.boxter.819", "W32.installcore.agx", "Vm201.0.b70b.malware", "Hoax.deceptpcclean", "Unsafe.ai_score_94%", "Dropper.gen", "Worm:win32/benjamin", "Heur:hoax.pcfixer", "Virus.virlock/nabucur", "Redirector.an", "Wisecleaner.a potentially unwanted", "Warezov.gen3", "Generic.js.blackhole", "Nemucod.21c8", "Wacatac.b", "Ai:fileinfector.eaeea7850c", "Win32:rmndrp [inf]", "Zeus", "Unsafe.ai_score_95% 2", "Pony", "Dyre", "Adware.browsefoxcrtd", "Trojandownloader:win32/upatre", "Tel:trojan:html/phishing", "Pup.systweak", "Backdoor.dtr.15", "Amadey", "Worm:win32/pykspa", "Trojan.wisdomeyes.16070401.9500", "Tsgeneric", "Ransomware", "Mimikatz - s0002", "Gen:variant.application.bundler.downloadguide", "Worm.chir", "Trojan.downloader33", "Virus.ramnit/nimnul", "Quasar rat", "Googletoolbar", "Alf:heraklezeval:trojanspy:win32/socstealer", "Applicunwnt@#2n6\tirs", "Html:redirme", "Emotet", "Virus:win32/sality.at", "Pegasus", "Virus.sality", "Gen:variant.symmi", "Clicker.vb", "Cve exploits", "Webtoolbar", "Trojan.ransom.generickd", "Trojan.small", "Qvm05.1.08e5.malware", "Wat:blacked-e", "Agent.mu", "Hacktool.bruteforce", "Js:trojan.hidelink 2", "Js:trojan.clicker", "Xtreme rat", "Riskware.crack", "Trojan.crifi.1", "Trojanspy", "Vb:trojan.valyria", "Bscope.backdoor", "Pykspa_v2_fake", "Mydoom", "Bondat.a", "Agen.1144657", "Trojandropper.autit", "Goldmax - s0588", "Packed.themida", "Locky", "Application.bitcoinminer", "W32.hfsautob", "W32.malware", "Downloader.generic", "Bscope.adware.msil", "Virut", "Cobalt strike", "Gen:nn.zemsilf.32515", "Gen:nn.zemsilf.34170", "Gen:nn.zexaf.34090", "Dropper.trojan.agent", "Gen:heur.msil.androm", "Pua.wombat", "Hw32.packed", "Downloader.opencandy", "Bscope.trojan", "Infected.webpage", "Pws:win32/qqpass.b!mtb", "Vdehu.a", "W32.eheur", "Heur:exploit.script", "Generic.application.js.sobrab.1", "Asparnet.p", "Gen:variant.jacard", "Trojan.msil", "Trojan.bat.qhost", "Solar", "Cve-2014-3153", "Darkkomet.ife", "Trojan.ransom.gandcrab", "Backdoor.predator", "Gen:variant.bulz", "Agent.cux.gen", "Dropper.wanna", "Zbot", "Msil_kryptik.p.gen", "Bscope.trojandownloader", "Generic.asmalws", "Hacktool.crack", "Backdoor:win32/likseput.b", "Ml.attribute", "Trojan.gandcrypt", "Tel:exploit:win32/sinkers", "Trojan.hotkeychick", "Adware.dealply", "Trojandownloader:win32/nemucod", "Trojan.bayrob", "Downldr.gen", "Malicious.f01f67", "Freemake.a potentially unwanted", "Trojan.downloader", "Sibot", "Agent.ocj", "Trojan.clipbanker", "Riskware.netfilter", "Trojan.otnr", "Riskware.hacktool.agent", "Trojan:win32/speesipro.a", "Win.downloader.small-1645", "Trojan.rozena", "Worm.allaple", "Doplik.j", "Gen:variant.msilheracles", "Heur:trojan.diztakun", "Troj_gen.f04ie00ci19", "Redline stealer", "Worm.autorun", "Gen:heur.msil.inject", "Mimikatz", "Backdoor:win32/mydoom", "Eternalblue", "Trojan:win32/xtrat", "Defacement", "Installcore.np", "Suppobox", "Dridex", "Adwaresig [adw]", "Behaveslike.downloader", "Scrinject.b", "Pykspa", "Suspici.1f4405d1", "Kryptik.gkqr", "Elocky", "Packed.dico", "Webtoolbar.asparnet", "Backdoor.nhopro", "Phishing jpmorgan chase and co.", "Installcore.gen7", "Trojan.js.iframe", "Sigriskware.lespeedtechnologyltd", "Downware", "Magazine phishing", "Adware.kuzitui", "Trojan.linux.generic", "Tool.patcher", "Adware.oxypumper", "Deepscan:generic.brresmon.1", "Kryptik.dawvk", "Banjori", "Gen:variant.strictor", "Goldfinder", "Locky (decryptor)", "Trojan:win32/zombie.a", "Csqkhtaai", "Faceliker.d", "Blacknet rat", "Program.freemake", "Hallrender", "Gen:variant.application.bundler", "Gen:variant.tedy hacktool.vulndriver", "Tulach" ], "industries": [ "Healthcare", "Civil society", "Crime victims", "Technology", "Media" ], "unique_indicators": 68212 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/widevine.com", "whois": "http://whois.domaintools.com/widevine.com", "domain": "widevine.com", "hostname": "staging.widevine.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "654 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5c5ebba25ca46fc5b36bc", "name": "NSO Group Pegasus spyware found attack a US citizen. Silencing", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\n\u2022NSO Group develops best-in-class technology to help government agencies detect and prevent terrorism and crime.\n\u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. \nNon terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:11:39.752000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "msie", "chrome", "certificate", "hostname", "url analysis", "http response", "final url", "status code", "body length", "b body", "sha256", "headers date", "connection", "date sat", "html info", "forbidden", "google tag", "utc aw741566034", "utc redirection", "asnone united", "as54113", "cname", "script urls", "as19527 google", "as35280 acorus", "encrypt", "reverse dns", "location dublin", "domain name", "emails", "as23724", "as4812 china", "china", "win32mydoom jan", "ransom", "worm", "as4808 china", "browse scan", "endpoints all", "login", "sign up", "tulach", "c-67-181-73-197.hsd1.ca.comcast.net", "social engineering", "contact made by mark brian sabey", "contact made by o'dea", "benjamin c" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4655, "URL": 9981, "FileHash-MD5": 219, "FileHash-SHA1": 213, "FileHash-SHA256": 6722, "hostname": 4341, "CVE": 2, "email": 12, "BitcoinAddress": 3 }, "indicator_count": 26148, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbadc21b9891c459b9d2", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:13.975000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9995, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25999, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b5cbbbcb7a479db222f053", "name": "NSO Group Pegasus spyware used nefariously", "description": "\u2022 Cellebrite Empowers Law Enforcement Agencies with The Leading Digital Forensic Solutions\ngovernment agencies detect and prevent terrorism and crime. \u2022Pegasus reveals all to the NSO customers who control it \u2014 text messages, photos, emails, videos, contact lists \u2014 and can record phone calls. Non terrorist. Assaulted in physical therapy. Critically injurer. Immediate cyber attacks including NSO Group. Very dangerous. Unsuspected interaction with bad actors is a thing.", "modified": "2024-03-27T00:05:34.925000", "created": "2024-01-28T03:36:27.745000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4226, "URL": 9996, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6882, "hostname": 4402, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 26000, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b80944a3d1c9e36346e0c1", "name": "NSO Group Pegasus spyware used nefariously", "description": "", "modified": "2024-02-27T03:01:21.421000", "created": "2024-01-29T20:23:32.737000", "tags": [ "whois record", "ssl certificate", "threat roundup", "october", "august", "september", "november", "april", "march", "tsara brashears", "copy", "execution", "metro", "awful", "attack", "quasar", "malicious", "crypto", "contact", "contacted", "pe resource", "communicating", "pegasus", "bundled", "historical ssl", "cellbrite", "core", "startpage", "ursnif", "amadey", "probe", "targets sa", "survivor", "referrer", "whois whois", "whois ssl", "apple", "status", "creation date", "passive dns", "urls", "search", "expiration date", "name servers", "scan endpoints", "all octoseek", "pulse submit", "date", "next", "et exploit", "probe ms17010", "smbds ipc", "show", "service", "entries", "msf style", "generic flags", "pe32", "exploit", "malware", "dock", "push", "write", "win32", "eternalblue", "playgame", "bitcoin", "virgin islands", "as19905", "record value", "unknown", "body", "meta", "error", "united", "as7922 comcast", "x ua", "ipv4", "pulse pulses", "files", "moved", "title", "gmt content", "cookie", "as15169 google", "mtb jan", "otx telemetry", "query", "trojan", "msr jan", "as29580 a1", "domain", "showing", "as8866", "cellebrite", "aaaa", "russia unknown", "dnssec", "nxdomain", "a domains", "download", "accept", "url https", "http", "ip address", "related nids", "files location", "ios", "ireland", "servers", "as4808 china", "china", "reverse dns", "asnone united", "as54113", "cname", "domain name", "emails", "as23724", "as4812 china", "win32mydoom jan", "ransom", "worm", "browse scan", "endpoints all", "login", "sign up", "cellebrite", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "server", "domain status", "registrar abuse", "whois lookup", "contact email", "contact phone", "popularity", "rank position", "ingestion time", "cisco umbrella", "record type", "ttl value", "sa victim", "assaulter", "privilege https", "tulach" ], "references": [ "enterprise.cellebrite.com [ digitalclues.com]", "http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS", "https://tulach.cc/ [malware engineering | phishing]", "deviceinbox.com [malware hosting]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://timersys.com/ [ phishing | deb opera.com]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader]", "message.htm.com [ message stealer]", "https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT]", "https://www.nsogroup.com", "https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI]", "https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ]", "https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics]", "Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection]", "https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey \u2022 HallRender.com & others]", "training001.blackbagtech.com [opportunity?]", "https://otx.alienvault.com/indicator/hostname/apptree.comcast.net", "nr-data.net [Apple Private Data Collection] data.net points to aps.net", "Tracking: 8.8.4.4 [ NOT a false.positive]", "https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b", "Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Virgin Islands, British" ], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Backdoor:Win32/Mydoom", "display_name": "Backdoor:Win32/Mydoom", "target": "/malware/Backdoor:Win32/Mydoom" }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Civil Society", "Healthcare" ], "TLP": "green", "cloned_from": "65b5cbbbcb7a479db222f053", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4174, "URL": 9617, "FileHash-MD5": 241, "FileHash-SHA1": 235, "FileHash-SHA256": 6801, "hostname": 4314, "CVE": 2, "email": 13, "BitcoinAddress": 3 }, "indicator_count": 25400, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a836104ede1963b0502042", "name": "Not even Google", "description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com", "modified": "2024-02-16T17:02:44.115000", "created": "2024-01-17T20:18:24.316000", "tags": [ "ssl certificate", "threat roundup", "whois record", "march", "october", "contacted", "july", "april", "june", "roundup", "august", "copy", "execution", "plugx", "goldfinder", "sibot", "hacktool", "february", "ransomexx", "ermac", "emotet", "agent tesla", "nokoyawa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1315, "URL": 1384, "domain": 327, "hostname": 516, "FileHash-MD5": 19, "FileHash-SHA1": 19 }, "indicator_count": 3580, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b0fd1ac7cb4d83834db1f", "name": "Botnet Command and Control Server | Malware Distribution Site", "description": "", "modified": "2024-02-06T20:02:52.205000", "created": "2024-01-07T20:55:45.006000", "tags": [ "passive dns", "urls", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "status code", "body", "httponly", "ssl certificate", "historical ssl", "whois record", "parent referrer", "whois whois", "communicating", "contacted", "contacted urls", "bundled", "pe resource", "dropped", "army", "machinename", "execution", "referrer", "malware distribution site", "phishing dropbox", "evasive", "banker", "dde", "dridex", "exploit", "dyre", "dyreza", "ransomware", "mydoom", "backdoor", "svg", "phising", "locky", "e-mail provider phishing", "spear phishing", "retefe", "defacement", "phishing development bank of singapore", "banjori", "suppobox", "zeus", "pony", "solar", "ransomware locky distribution site", "nymaim", "shade", "troldesh", "tvrat", "zbot", "elocky", "wisdomeyes", "kryptic", "sinkhole", "exploit", "worm", "backdoor", "injector", "botnet command and control server", "unknown", "domain", "creation date", "search", "date", "hostname", "next", "all search", "otx octoseek", "united", "as13335", "ipv4", "pulse submit", "url analysis", "iocs", "ioc search", "new ioc", "teams api", "contact", "files", "nxdomain", "win32", "meta", "wabot", "gmt contenttype", "dnssec", "name", "win32 exe", "detections file", "file size", "kb file", "domains", "registrar", "markmonitor inc", "status", "susp", "expiration date", "name servers", "domain related", "entries", "johnnsabey", "m. brian sabey", "mark sabey", "sabey data center", "utah", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "problems", "alienvault part", "kgs0", "kls0", "schema abuse", "sneaky server", "iframe", "apple", "data collection" ], "references": [ "http://security.didici.cc/cve" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "virus.virlock/nabucur", "display_name": "virus.virlock/nabucur", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null }, { "id": "Banjori", "display_name": "Banjori", "target": null }, { "id": "Trojan.AvsEtecer", "display_name": "Trojan.AvsEtecer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "TV RAT", "display_name": "TV RAT", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Dyre", "display_name": "Dyre", "target": null }, { "id": "ELocky", "display_name": "ELocky", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Locky (Decryptor)", "display_name": "Locky (Decryptor)", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Gen:Variant.Strictor", "display_name": "Gen:Variant.Strictor", "target": null }, { "id": "Adware.BrowseFox", "display_name": "Adware.BrowseFox", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "MSIL_Kryptik.P.gen", "display_name": "MSIL_Kryptik.P.gen", "target": null }, { "id": "pykspa_v2_fake", "display_name": "pykspa_v2_fake", "target": null }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "TEL:Exploit:Win32/Sinkers", "display_name": "TEL:Exploit:Win32/Sinkers", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA256": 3121, "URL": 4225, "domain": 1725, "hostname": 1416, "FileHash-SHA1": 225, "CVE": 2, "email": 3 }, "indicator_count": 10948, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a48ab7cd0bd218b17ccf6c", "name": "Botnet Command and Control Server | Malware", "description": "", "modified": "2024-02-06T20:02:52.205000", "created": "2024-01-15T01:30:31.655000", "tags": [ "passive dns", "urls", "scan endpoints", "all octoseek", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "status code", "body", "httponly", "ssl certificate", "historical ssl", "whois record", "parent referrer", "whois whois", "communicating", "contacted", "contacted urls", "bundled", "pe resource", "dropped", "army", "machinename", "execution", "referrer", "malware distribution site", "phishing dropbox", "evasive", "banker", "dde", "dridex", "exploit", "dyre", "dyreza", "ransomware", "mydoom", "backdoor", "svg", "phising", "locky", "e-mail provider phishing", "spear phishing", "retefe", "defacement", "phishing development bank of singapore", "banjori", "suppobox", "zeus", "pony", "solar", "ransomware locky distribution site", "nymaim", "shade", "troldesh", "tvrat", "zbot", "elocky", "wisdomeyes", "kryptic", "sinkhole", "exploit", "worm", "backdoor", "injector", "botnet command and control server", "unknown", "domain", "creation date", "search", "date", "hostname", "next", "all search", "otx octoseek", "united", "as13335", "ipv4", "pulse submit", "url analysis", "iocs", "ioc search", "new ioc", "teams api", "contact", "files", "nxdomain", "win32", "meta", "wabot", "gmt contenttype", "dnssec", "name", "win32 exe", "detections file", "file size", "kb file", "domains", "registrar", "markmonitor inc", "status", "susp", "expiration date", "name servers", "domain related", "entries", "johnnsabey", "m. brian sabey", "mark sabey", "sabey data center", "utah", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "problems", "alienvault part", "kgs0", "kls0", "schema abuse", "sneaky server", "iframe", "apple", "data collection" ], "references": [ "http://security.didici.cc/cve" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "virus.virlock/nabucur", "display_name": "virus.virlock/nabucur", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null }, { "id": "Banjori", "display_name": "Banjori", "target": null }, { "id": "Trojan.AvsEtecer", "display_name": "Trojan.AvsEtecer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "TV RAT", "display_name": "TV RAT", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Dyre", "display_name": "Dyre", "target": null }, { "id": "ELocky", "display_name": "ELocky", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "Locky (Decryptor)", "display_name": "Locky (Decryptor)", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan.WisdomEyes.16070401.9500", "display_name": "Trojan.WisdomEyes.16070401.9500", "target": null }, { "id": "Gen:Variant.Strictor", "display_name": "Gen:Variant.Strictor", "target": null }, { "id": "Adware.BrowseFox", "display_name": "Adware.BrowseFox", "target": null }, { "id": "W32.eHeur", "display_name": "W32.eHeur", "target": null }, { "id": "MSIL_Kryptik.P.gen", "display_name": "MSIL_Kryptik.P.gen", "target": null }, { "id": "pykspa_v2_fake", "display_name": "pykspa_v2_fake", "target": null }, { "id": "Worm:Win32/Pykspa", "display_name": "Worm:Win32/Pykspa", "target": "/malware/Worm:Win32/Pykspa" }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "TEL:Exploit:Win32/Sinkers", "display_name": "TEL:Exploit:Win32/Sinkers", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1574.008", "name": "Path Interception by Search Order Hijacking", "display_name": "T1574.008 - Path Interception by Search Order Hijacking" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" } ], "industries": [], "TLP": "white", "cloned_from": "659b0fd1ac7cb4d83834db1f", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA256": 3121, "URL": 4225, "domain": 1725, "hostname": 1416, "FileHash-SHA1": 225, "CVE": 2, "email": 3 }, "indicator_count": 10948, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://staging.widevine.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://staging.widevine.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780224168.8803036 }