{ "type": "URL", "indicator": "https://startup.googlecnapps.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://startup.googlecnapps.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3817257464, "indicator": "https://startup.googlecnapps.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d75bdc4bc5ba5cb6df7fb", "name": "2nd X - https://ldl.myqnascloud.com/ - DT_VMP_32", "description": "*Malware: DT_VMP_32 -associated with non specific trojan or ransomware activity, widely-known malware family with (custom) unique names.\n\u2022 pid-bodis-gcontrol151 |\u2022 googledownloads.cn\nServer or central repository used to target Tsara Brashears , \n into a malicious w/botnet world. Parked domains used w/malicious intent though appearing benign or \u2018for sale\u2019. \n\nDetections: \nSuspicious User-Agent - Possible Trojan Downloader (https)\nHTTP Request to a *.tw domain\n#bodis #targeting #parkingcrews #active #content_delivery #malvertizing #content_scraping #malware #attacks #dumping #framing #webcache #colbaltstrike #trojan_downloader #disabler #distributor #music_piracy #domainfraud #ransom", "modified": "2025-09-01T01:01:18.030000", "created": "2025-08-02T02:19:41.646000", "tags": [ "cisco", "umbrella rank", "domain", "general full", "united", "reverse dns", "software", "kb script", "url https", "asn15169", "google", "resource", "hash", "value", "variables", "domainpath name", "name value", "august", "servaas klute", "americachicago", "verified", "ecdsa", "linux x8664", "khtml", "gecko", "aes128gcm", "maxradlinklen50", "encrypt", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "spawns", "mitre att", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "pattern match", "show technique", "body", "date", "hybrid", "general", "path", "click", "strings", "meta", "present jul", "search", "entries", "ip address", "registrar", "creation date", "record value", "name servers", "servers", "found a", "location united", "asn as15169", "less whois", "mtb apr", "trojan", "trojandropper", "backdoor", "win32qqpass apr", "next associated", "files show", "date hash", "avast avg", "ipv4", "pulse pulses", "passive dns", "urls", "files", "hacktool", "ipv4 add", "virtool", "present aug", "present feb", "present jan", "gmt location", "gmt max", "certificate", "showing", "cowboy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2209, "domain": 801, "URL": 6114, "FileHash-SHA256": 2162, "FileHash-MD5": 184, "FileHash-SHA1": 187, "CIDR": 3, "SSLCertFingerprint": 2, "email": 1, "CVE": 2 }, "indicator_count": 11665, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665182d791bfc08412ec2c0a", "name": "Shadow Pad | Appears as investigation of an infirmed non criminal", "description": "ShadowPad is a modular backdoor attack platform that uses an ecosystem of plugins. It stealthily infiltrates target systems and provides attackers with capabilities to gather data execute commands, interacts with the file system and registry, and deploys new modules to extend functionality controlling the compromised systems remotely.\n\nElderly ill target cannot summon help.\n*Forced Updates for Google Chrome\n*Browser bar plug-in. \nRedirects calls to OOS phone message who;e call is still dialing\n*Emergency calls are always answered by 'police communication' at every given time of the day there are no police , ambulance, or any help available. They have already left for the day. \n*Nefarious user has on UTC time.\n Merits further investigation.", "modified": "2024-06-24T05:01:31.025000", "created": "2024-05-25T06:19:03.896000", "tags": [ "threat roundup", "historical ssl", "referrer", "socs", "water dybbuk", "a bec", "actor using", "service", "privateloader", "blacknet rat", "shadowpad", "algorithm", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "aaaa", "record type", "ttl value", "cname", "server", "domain status", "google llc", "registrar abuse", "registrar", "admin country", "ca creation", "dnssec", "subdomains", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "first", "name verdict", "falcon sandbox", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "sha1", "sha256", "severity", "ascii text", "hybrid", "local", "click", "strings", "contact", "isoscope", "malicious", "Trojan:PDF/Owaphish.A", "android", "cisco", "show", "create c", "related pulses", "copy", "search", "peter pdf", "modifydate", "hacker playbook", "practical guide", "write", "trojan", "format", "core", "united", "unknown", "passive dns", "scan endpoints", "all scoreblue", "urls", "files", "none related", "miles", "all search", "otx scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "abuse", "pentest", "127.0.0.1" ], "references": [ "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE CVE-2023-3519", "display_name": "RCE CVE-2023-3519", "target": null }, { "id": "Trojan:PDF/Owaphish.A", "display_name": "Trojan:PDF/Owaphish.A", "target": "/malware/Trojan:PDF/Owaphish.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 97, "FileHash-SHA1": 93, "FileHash-SHA256": 822, "domain": 166, "URL": 571, "hostname": 252, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 2012, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "711 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e3fe91a1aceb955e54f6", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.147000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e3fe934ae9d391614c0d", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.585000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e4017a14cda8d09c9bf8", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:33.270000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e406028ca6f363f41315", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:38.424000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8071976a7e6dccaabbada", "name": "NSO Group Pegasus", "description": "", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T20:14:17.001000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65b7e406028ca6f363f41315", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a836104ede1963b0502042", "name": "Not even Google", "description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com", "modified": "2024-02-16T17:02:44.115000", "created": "2024-01-17T20:18:24.316000", "tags": [ "ssl certificate", "threat roundup", "whois record", "march", "october", "contacted", "july", "april", "june", "roundup", "august", "copy", "execution", "plugx", "goldfinder", "sibot", "hacktool", "february", "ransomexx", "ermac", "emotet", "agent tesla", "nokoyawa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1315, "URL": 1384, "domain": 327, "hostname": 516, "FileHash-MD5": 19, "FileHash-SHA1": 19 }, "indicator_count": 3580, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659fa1fad840744f75eb2d14", "name": "Worm:Win32/Benjamin IoC's", "description": "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples | \nFiles Matching Antivirus Detection - 296,250 \nNetwork Icmp\nPersistence Autorun\nNetwork Http\nDynamic Function Loading\nProcmem Yara\nInjection Rwx\nPowershell Request\nDead Connect\nSuricata Alert\nPe Features\nPacker Entropy\nAntivm Memory Available\nAllocates Rwx\nCreates Exe\nPacker Polymorphic\nNids Alert\nDead Host\nNolookup Communication", "modified": "2024-02-10T07:03:55.140000", "created": "2024-01-11T08:08:26.689000", "tags": [ "worm", "win32", "benjamin", "passive dns", "as47846", "germany unknown", "urls", "next", "scan endpoints", "all octoseek", "unknown", "threat roundup", "ssl certificate", "whois record", "august", "april", "execution", "october", "july", "march", "contacted", "june", "emotet", "quasar", "core", "hacktool", "goldfinder", "sibot", "ryuk", "drxk0gdg2s06f8p", "cfom2jtlf", "k60zzli http", "whois whois", "historical ssl", "resolutions", "referrer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 145, "FileHash-SHA256": 2888, "hostname": 1075, "domain": 1007, "URL": 4964, "CVE": 1 }, "indicator_count": 10224, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659b4cea3e6da3a00306ae11", "name": "Ragnar Locker | Cowrie Hash", "description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.", "modified": "2024-02-06T23:04:54.022000", "created": "2024-01-08T01:16:26.884000", "tags": [ "contacted", "pe resource", "execution", "problems", "alienvault part", "dropped", "kgs0", "kls0", "collections", "schema abuse", "iframe", "united", "as29791", "search", "entries", "passive dns", "urls", "service", "date", "unknown", "japan unknown", "body", "czechia unknown", "sinkhole", "emotet", "date hash", "avast avg", "mtb dec", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "samples", "tulach", "tulach.cc", "sabey data center", "malware server", "gorf", "set cookie", "united kingdom", "script urls", "trojan", "status", "showing", "cookie", "template", "johnnsabey", "briansabey", "data center", "choco", "name", "win32 exe", "domains", "registrar", "markmonitor inc", "ip detections", "country", "us execution", "parents", "whois record", "whois whois", "ssl certificate", "apple ios", "red team", "tsara brashears", "historical ssl", "hacktool", "copy", "malicious", "life", "unsafe", "server", "registrar abuse", "contact phone", "domain status", "registrar whois", "email", "registry domain", "registry expiry", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "x509v3 key", "info", "first", "http method", "http requests", "connect http", "get dns", "resolutions", "ip traffic", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "show", "free", "recon", "benjamin", "write", "worm", "win32", "june", "delphi", "code", "malware", "next", "using", "urls http", "benjamin", "nids", "cowrie hashes", "dns replication", "files", "sample", "sender", "us postal", "cowrie", "iranian actor", "shipping", "healthcare", "ragnar locker", "qakbot", "qbot", "pii", "phi", "privacy", "honeypot", "referrer", "spyware", "android", "nanocore", "banker", "keylogger" ], "references": [ "choco.exe", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "http://security.didici.cc/cve", "https://whois.domaintools.com/gov1.info", "https://nsa.gov1.info/utah-data-center/", "https://github.com/cowrie/cowrie", "Cowrie (honeypot) - Wikipedia", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware" ], "public": 1, "adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "ALF:Win32/GbdInf_123DF591.J!ibt", "display_name": "ALF:Win32/GbdInf_123DF591.J!ibt", "target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt" }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "ALF:SpikeAexR.SECTHDR", "display_name": "ALF:SpikeAexR.SECTHDR", "target": null }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Ragnar Locker", "display_name": "Ragnar Locker", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Worm", "display_name": "Worm", "target": null }, { "id": "NanCore RAY", "display_name": "NanCore RAY", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [ "Healthcare", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 347, "FileHash-SHA1": 222, "FileHash-SHA256": 6645, "hostname": 2744, "URL": 9123, "domain": 3065, "email": 4 }, "indicator_count": 22150, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331580cd1571f730b8de2", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.242000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://en.m.wikipedia.org \u203a wiki NSO Group", "https://www.nsogroup.com/", "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "findbetterresults.com", "choco.exe", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "nr-data.net [Apple Private Data Collection]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "media-router-fp74.prod.media.vip.bf1.yahoo.com", "https://pegasusm2.bullsbikesusa.com", "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "321Survive.exe", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "ww.google.com.uy", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "Virustotal - google.com.uy", "http://www.jelenia-gora.so.gov.pl/", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://whois.domaintools.com/gov1.info", "FormBook IP: 142.251.211.243", "https://waf.intelix.pl/957476/Chat/Script/Compatibility", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware", "https://nsa.gov1.info/utah-data-center/", "https://github.com/cowrie/cowrie", "144.76.108.82 [scanning host]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "Cowrie (honeypot) - Wikipedia", "checkip.dyndns.org [command and control]", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA", "http://security.didici.cc/cve", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/", "https://www.jelenia-gora.so.gov.pl/", "Yara Detections PEtite24", "www2.megawebfind.com [command_and_control]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group", "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin" ], "malware_families": [ "", "Win.trojan.tofsee-9770082-1", "Alf:win32/gbdinf_123df591.j!ibt", "Sf:agent-dq\\ [trj]", "Nancore ray", "Alf:spikeaexr.secthdr", "Trojan.wanna/wannacry", "Hacktool", "Win32:dropperx-gen\\ [drp]", "Worm:win32/benjamin", "Installer", "Qakbot", "Alf:trojan:msil/agenttesla.km", "Trojan:msil/trojandropper", "Worm", "Alf:heraklezeval:ransom:msil/gorf", "Tofsee", "Trojandownloader:win32/upatre!rfn", "Ransom:win32/stopcrypt.ak!mtb", "Alf:ransom:win32/babax.sg!mtb", "Sabey", "Tulach", "Ransomware", "Serwer", "Rce cve-2023-3519", "Hallrender", "Agent tesla", "Trojan:pdf/owaphish.a", "Qbot", "Alf:trojan:win32/cassini_ade36583!ibt", "Trojan", "Emotet", "Alf:heraklezeval:trojan:win32/clipbanker , , alf:trojan:win32/autorun.pi!mtb , alf:trojan:win32/cassini_6d4ebdc9!ibt", "Alf:trojan:win32/cassini_f28c33a2!ibt", "Ragnar locker" ], "industries": [ "Insurance", "Healthcare" ], "unique_indicators": 164187 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/googlecnapps.cn", "whois": "http://whois.domaintools.com/googlecnapps.cn", "domain": "googlecnapps.cn", "hostname": "startup.googlecnapps.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688d75bdc4bc5ba5cb6df7fb", "name": "2nd X - https://ldl.myqnascloud.com/ - DT_VMP_32", "description": "*Malware: DT_VMP_32 -associated with non specific trojan or ransomware activity, widely-known malware family with (custom) unique names.\n\u2022 pid-bodis-gcontrol151 |\u2022 googledownloads.cn\nServer or central repository used to target Tsara Brashears , \n into a malicious w/botnet world. Parked domains used w/malicious intent though appearing benign or \u2018for sale\u2019. \n\nDetections: \nSuspicious User-Agent - Possible Trojan Downloader (https)\nHTTP Request to a *.tw domain\n#bodis #targeting #parkingcrews #active #content_delivery #malvertizing #content_scraping #malware #attacks #dumping #framing #webcache #colbaltstrike #trojan_downloader #disabler #distributor #music_piracy #domainfraud #ransom", "modified": "2025-09-01T01:01:18.030000", "created": "2025-08-02T02:19:41.646000", "tags": [ "cisco", "umbrella rank", "domain", "general full", "united", "reverse dns", "software", "kb script", "url https", "asn15169", "google", "resource", "hash", "value", "variables", "domainpath name", "name value", "august", "servaas klute", "americachicago", "verified", "ecdsa", "linux x8664", "khtml", "gecko", "aes128gcm", "maxradlinklen50", "encrypt", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "spawns", "mitre att", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "pattern match", "show technique", "body", "date", "hybrid", "general", "path", "click", "strings", "meta", "present jul", "search", "entries", "ip address", "registrar", "creation date", "record value", "name servers", "servers", "found a", "location united", "asn as15169", "less whois", "mtb apr", "trojan", "trojandropper", "backdoor", "win32qqpass apr", "next associated", "files show", "date hash", "avast avg", "ipv4", "pulse pulses", "passive dns", "urls", "files", "hacktool", "ipv4 add", "virtool", "present aug", "present feb", "present jan", "gmt location", "gmt max", "certificate", "showing", "cowboy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2209, "domain": 801, "URL": 6114, "FileHash-SHA256": 2162, "FileHash-MD5": 184, "FileHash-SHA1": 187, "CIDR": 3, "SSLCertFingerprint": 2, "email": 1, "CVE": 2 }, "indicator_count": 11665, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665182d791bfc08412ec2c0a", "name": "Shadow Pad | Appears as investigation of an infirmed non criminal", "description": "ShadowPad is a modular backdoor attack platform that uses an ecosystem of plugins. It stealthily infiltrates target systems and provides attackers with capabilities to gather data execute commands, interacts with the file system and registry, and deploys new modules to extend functionality controlling the compromised systems remotely.\n\nElderly ill target cannot summon help.\n*Forced Updates for Google Chrome\n*Browser bar plug-in. \nRedirects calls to OOS phone message who;e call is still dialing\n*Emergency calls are always answered by 'police communication' at every given time of the day there are no police , ambulance, or any help available. They have already left for the day. \n*Nefarious user has on UTC time.\n Merits further investigation.", "modified": "2024-06-24T05:01:31.025000", "created": "2024-05-25T06:19:03.896000", "tags": [ "threat roundup", "historical ssl", "referrer", "socs", "water dybbuk", "a bec", "actor using", "service", "privateloader", "blacknet rat", "shadowpad", "algorithm", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "aaaa", "record type", "ttl value", "cname", "server", "domain status", "google llc", "registrar abuse", "registrar", "admin country", "ca creation", "dnssec", "subdomains", "key algorithm", "ec oid", "key identifier", "subject key", "identifier", "first", "name verdict", "falcon sandbox", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "sha1", "sha256", "severity", "ascii text", "hybrid", "local", "click", "strings", "contact", "isoscope", "malicious", "Trojan:PDF/Owaphish.A", "android", "cisco", "show", "create c", "related pulses", "copy", "search", "peter pdf", "modifydate", "hacker playbook", "practical guide", "write", "trojan", "format", "core", "united", "unknown", "passive dns", "scan endpoints", "all scoreblue", "urls", "files", "none related", "miles", "all search", "otx scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "abuse", "pentest", "127.0.0.1" ], "references": [ "Trojan:PDF/Owaphish.A: https://otx.alienvault.com/indicator/file/b3735b6a91f612fdb28832408fe53ee286d0d618802db2e35f0c9e1f266f8918", "https://www.hybrid-analysis.com/sample/1843e6de2e062031e54642a10f4582884a2a9e5d97092f7221c35e9fa9b92cc7/665173a88bb19689e2005033" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE CVE-2023-3519", "display_name": "RCE CVE-2023-3519", "target": null }, { "id": "Trojan:PDF/Owaphish.A", "display_name": "Trojan:PDF/Owaphish.A", "target": "/malware/Trojan:PDF/Owaphish.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1453", "name": "Abuse Accessibility Features", "display_name": "T1453 - Abuse Accessibility Features" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 97, "FileHash-SHA1": 93, "FileHash-SHA256": 822, "domain": 166, "URL": 571, "hostname": 252, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 2012, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "664 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "711 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e3fe91a1aceb955e54f6", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.147000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e3fe934ae9d391614c0d", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.585000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e4017a14cda8d09c9bf8", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:33.270000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e406028ca6f363f41315", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:38.424000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8071976a7e6dccaabbada", "name": "NSO Group Pegasus", "description": "", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T20:14:17.001000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65b7e406028ca6f363f41315", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://startup.googlecnapps.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://startup.googlecnapps.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616752.650057 }