{ "type": "URL", "indicator": "https://sub.test-fake-software.testpanw.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sub.test-fake-software.testpanw.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4307173310, "indicator": "https://sub.test-fake-software.testpanw.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69f54c711cd17df01c20d601", "name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT", "description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T00:59:29.794000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 743, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4437, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5d960e861f6159823ff0b", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:00:48.440000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f54c711cd17df01c20d601", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 744, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4438, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da1228db82eb87274cab", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:03:46.995000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f5d960e861f6159823ff0b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 273, "hostname": 769, "URL": 1601, "FileHash-SHA256": 1576, "IPv4": 227, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4, "IPv6": 4 }, "indicator_count": 4760, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a07250fb9562ea208d26946", "name": "Credit *Q.Vashti* Clone [\u2022 Virus Total | P.S Banker | Attacked/Blocked \u2022] ", "description": "", "modified": "2026-05-16T05:47:36.553000", "created": "2026-05-15T13:52:15.176000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": "69dc04c12782d2d76c111a93", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2, "IPv4": 1 }, "indicator_count": 4999, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-05-12T20:40:08.152000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2 }, "indicator_count": 4998, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://securityaffairs.com/144927/cyber-crime~#", "coloradoproblemsolvingcourts.org?", "114.114.114.114 = Tulach", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "this.target", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://cp.bankid.no", "https://odr.coloradojudicial.gov/login", "chrome.cloudflare-dns.com", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "authrootstl.cab common file extension", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "IDS Detections: Query to a *.pw domain - Likely Hostile", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "www.its.courts.state.co.us", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "http://cr-malware.testpanw.com/url", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "https://www.coloradojudicial.gov/data", "https://rockylinux.map.fastlydns.net/", "https://clockoutbox.es/password" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.gh0strat-7480037-0", "Worm:win32/autorun!atmn", "Trojan:msil/snakekeylogger.mk1!mtb", "Trojan:win32/blihan.a", "Malware packed", "Alf:trojan:win64/psbanker", "Win.malware.jaik-9968280-0", "Trojan:win32/zombie.a", "Win.trojan.generic-9908275-0", "Trojandownloader:win32/vb.il", "Win.trojan.killav-210", "Trojandownloader:win32/upatre", "Trojan:o97m/madeba.a!det", "Tel:trojan:win32/injector.ab!msr", "Alf:trojan:win32/cassini_f2776388!ibt", "Trojan:win32/dorv.a", "Trojandownloader:win32/misfox", "Trojandownloader:win32/nemucod", "Trojan:win32/glupteba.mt!mtb", "Trojan:win32/scar.mr!mtb", "Trojandownloader:win32/systex.a", "Win.trojan.barys", "Trojan:win32/gupboot.b", "Trojandownloader:win32/inbat.h", "Alf:pulzati:trojan:win32/emotet!rfn", "Trojan:win32/zbot", "Tulach" ], "industries": [ "Government", "Technology", "Law" ], "unique_indicators": 9936 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/testpanw.com", "whois": "http://whois.domaintools.com/testpanw.com", "domain": "testpanw.com", "hostname": "sub.test-fake-software.testpanw.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69f54c711cd17df01c20d601", "name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT", "description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T00:59:29.794000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 743, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4437, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5d960e861f6159823ff0b", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:00:48.440000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f54c711cd17df01c20d601", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 271, "hostname": 744, "URL": 1509, "FileHash-SHA256": 1574, "IPv4": 30, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4 }, "indicator_count": 4438, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da1228db82eb87274cab", "name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate", "description": "", "modified": "2026-05-31T05:19:13.706000", "created": "2026-05-02T11:03:46.995000", "tags": [ "united kingdom", "united", "spain", "denmark", "report spam", "adversaries", "days ago", "xy amp", "ck ids", "packing", "taskjob", "ipv4", "indicator role", "active related", "ccus asnas749", "dynamicloader", "port", "high", "windows", "destination", "displayname", "write c", "write", "stream", "defense evasion", "malware", "hostile", "contacted", "ids detections", "query", "hostile http", "request", "lowercase host", "header observed", "tls sni", "yara detections", "active", "pulses hostname", "otx logo", "all report", "t1045", "t1053", "t1055", "fastly dns", ".ru", "microsoft", "palantirfoundry", "ioc", "history", "compromise", "antonio apr", "valeria paredes", "valeria", "paredes", "colorado", "courts", "judicial", "denver county", "dougco", "pagosa springs", "hacking", "modifications", "masquerading", "mock", "bannock st", "ericka", "arevalo antonio", "criminal attack", "cyber", "threat actors", "bots", "ascii text", "json", "ms windows", "pe32", "medium", "trojan", "august", "packer", "local", "next", "rat", "bat", "botnet", "cve", "yahoo", "pornhub", "dns", "remote", "password", "manipulation", "objection", "overruled", "your witness", "patriot act", "tsara brashears", "reflected", "targeting", "monitored target", "incc", "hua mucatul", "securityvaleria", "injection", "aquire", "correo", "number", "security apr", "document file", "v2 document", "little endian", "version", "msi installer", "code page", "template", "logmein", "title", "logmein rescue", "gh0strat", "emotet", "scar", "snake keylogger", "trojandropper", "review lo", "ccdk ,", "asnas20940", "tulach", "login join", "support privacy", "notice", "programs porn", "found pornstars", "videos movies", "now ooops", "we ca", "nt find", "the page", "sweet", "click", "back", "tulach", "they know", "1%", "f-h", "englert" ], "references": [ "https://www.coloradojudicial.gov/data", "https://cp.bankid.no", "coloradoproblemsolvingcourts.org?", "https://odr.coloradojudicial.gov/login", "http://coloradojudicial.gov/Courts/Supreme_Court/cjds", "www.its.courts.state.co.us", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.sweetheartvideo.com/tsara-brashears", "chrome.cloudflare-dns.com", "https://rockylinux.map.fastlydns.net/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908275-0", "display_name": "Win.Trojan.Generic-9908275-0", "target": null }, { "id": "Trojan:Win32/Scar.MR!MTB", "display_name": "Trojan:Win32/Scar.MR!MTB", "target": "/malware/Trojan:Win32/Scar.MR!MTB" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanDownloader:Win32/VB.IL", "display_name": "TrojanDownloader:Win32/VB.IL", "target": "/malware/TrojanDownloader:Win32/VB.IL" }, { "id": "TrojanDownloader:Win32/Inbat.H", "display_name": "TrojanDownloader:Win32/Inbat.H", "target": "/malware/TrojanDownloader:Win32/Inbat.H" }, { "id": "Trojan:Win32/Gupboot.B", "display_name": "Trojan:Win32/Gupboot.B", "target": "/malware/Trojan:Win32/Gupboot.B" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB", "target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Dorv.A", "display_name": "Trojan:Win32/Dorv.A", "target": "/malware/Trojan:Win32/Dorv.A" }, { "id": "Win.Trojan.Gh0stRAT-7480037-0", "display_name": "Win.Trojan.Gh0stRAT-7480037-0", "target": null }, { "id": "TrojanDownloader:Win32/Systex.A", "display_name": "TrojanDownloader:Win32/Systex.A", "target": "/malware/TrojanDownloader:Win32/Systex.A" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt", "target": null }, { "id": "Win.Trojan.Barys", "display_name": "Win.Trojan.Barys", "target": null }, { "id": "Win.Trojan.Killav-210", "display_name": "Win.Trojan.Killav-210", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "TrojanDownloader:Win32/Misfox", "display_name": "TrojanDownloader:Win32/Misfox", "target": "/malware/TrojanDownloader:Win32/Misfox" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Technology", "Law" ], "TLP": "green", "cloned_from": "69f5d960e861f6159823ff0b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 273, "hostname": 769, "URL": 1601, "FileHash-SHA256": 1576, "IPv4": 227, "FileHash-MD5": 197, "FileHash-SHA1": 109, "SSLCertFingerprint": 4, "IPv6": 4 }, "indicator_count": 4760, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a07250fb9562ea208d26946", "name": "Credit *Q.Vashti* Clone [\u2022 Virus Total | P.S Banker | Attacked/Blocked \u2022] ", "description": "", "modified": "2026-05-16T05:47:36.553000", "created": "2026-05-15T13:52:15.176000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": "69dc04c12782d2d76c111a93", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2, "IPv4": 1 }, "indicator_count": 4999, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-05-12T20:40:08.152000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2 }, "indicator_count": 4998, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sub.test-fake-software.testpanw.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sub.test-fake-software.testpanw.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780236402.1774278 }