{
"type": "URL",
"indicator": "https://thbgm.wh8pro.cc",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://thbgm.wh8pro.cc",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3392767164,
"indicator": "https://thbgm.wh8pro.cc",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 15,
"pulses": [
{
"id": "65cb4768b06f4da2fba5959b",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:44.270000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "760 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb476d0566c2d07e474df5",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.140000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "760 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb476d935dd560b4a3e938",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:49.380000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "760 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cb4772c3d3ad1f7accc98a",
"name": "Ryuk Ransomware - workers.dev | https://house.mo.gov",
"description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.",
"modified": "2024-03-14T09:04:37.097000",
"created": "2024-02-13T10:41:53.179000",
"tags": [
"contacted",
"ssl certificate",
"contacted urls",
"whois record",
"whois whois",
"relacionada",
"execution",
"p2404",
"kgs0",
"kls0",
"lockbit",
"lolkek",
"emotet",
"phishing",
"ursnif",
"malware",
"core",
"ryuk ransomware",
"qakbot",
"makop",
"hacktool",
"chaos",
"ransomexx",
"temp",
"localappdata",
"pattern match",
"ascii text",
"json data",
"united",
"indicator",
"prefetch8",
"observed email",
"unicode text",
"date",
"hybrid",
"win64",
"general",
"click",
"strings",
"tsara brashears",
"suspicious",
"falcon",
"name verdict",
"reinsurance",
"scan endpoints",
"all octoseek",
"domain",
"pulse pulses",
"passive dns",
"urls",
"files",
"ip address",
"location united",
"asn as13335",
"title",
"gmt server",
"user agent",
"443 ma2592000",
"hostname",
"encrypt",
"script urls",
"t matrix",
"dch v",
"meta",
"trang ch",
"body",
"status",
"search",
"creation date",
"record value",
"domain name",
"litespeed",
"certificate",
"speed",
"next",
"unknown",
"ipv4",
"reverse dns",
"name servers",
"expiration date",
"showing",
"pulse submit",
"gandi sas",
"moved",
"emails",
"servers",
"error",
"russia unknown",
"as31483",
"as12768",
"as30943",
"united kingdom",
"as208722 yandex",
"cname",
"spyware",
"tracking",
"login"
],
"references": [
"workers.dev [extraction \u2022 GET request attack]",
"ddos.dnsnb8.net [command_and_control]",
"www.supernetforme.com [command_and_control]",
"https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html",
"http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]",
"https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]",
"CVE: CVE-2023-23397",
"0-129-112027imap-intranet-pv-175-166.matomo.cloud",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://twitter.com/PORNO_SEXYBABES",
"sex-ukraine.net",
"http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com",
"feedercontroller.webcrawlingeap-prod-co4.binginternal.com",
"accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru",
"nexus.b2btest.ertelecom.ru",
"Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k",
"Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk",
"http://micrologin.ogspy.net/track/dhl-information-contact.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "LolKek",
"display_name": "LolKek",
"target": null
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "Ursnif",
"display_name": "Ursnif",
"target": null
},
{
"id": "Ryuk Ransomware",
"display_name": "Ryuk Ransomware",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1491",
"name": "Defacement",
"display_name": "T1491 - Defacement"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 127,
"FileHash-SHA1": 125,
"FileHash-SHA256": 4862,
"hostname": 3571,
"URL": 10597,
"CVE": 3,
"domain": 3169,
"email": 7
},
"indicator_count": 22461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "760 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657092f9499206cd87c73969",
"name": "iphone",
"description": "",
"modified": "2023-12-06T15:27:53.981000",
"created": "2023-12-06T15:27:53.981000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1768,
"hostname": 808,
"domain": 306,
"URL": 1938,
"FileHash-SHA1": 1
},
"indicator_count": 4821,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "859 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708a95ab15ef813f26cbb5",
"name": "New Data Wiper",
"description": "",
"modified": "2023-12-06T14:52:05.094000",
"created": "2023-12-06T14:52:05.094000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 151,
"domain": 34,
"URL": 363,
"hostname": 213,
"FileHash-MD5": 9,
"FileHash-SHA1": 4
},
"indicator_count": 774,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "859 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080e2831409d23c8d24a5",
"name": "iMessages.app 03.01.2022",
"description": "",
"modified": "2023-12-06T14:10:42.459000",
"created": "2023-12-06T14:10:42.459000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1768,
"hostname": 808,
"domain": 306,
"URL": 1937,
"FileHash-SHA1": 1
},
"indicator_count": 4820,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "859 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080c91dad41198eb749f7",
"name": "Hartintercivic.com",
"description": "",
"modified": "2023-12-06T14:10:17.112000",
"created": "2023-12-06T14:10:17.112000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1257,
"domain": 421,
"hostname": 1050,
"URL": 2321,
"FileHash-MD5": 1,
"FileHash-SHA1": 14
},
"indicator_count": 5064,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "859 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570804add74469eac78106c",
"name": "AngelPonce.com ~ Harris County Elections ADA Coordinator",
"description": "",
"modified": "2023-12-06T14:08:10.512000",
"created": "2023-12-06T14:08:10.512000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1148,
"domain": 286,
"hostname": 706,
"URL": 1406,
"email": 1,
"FileHash-SHA1": 5
},
"indicator_count": 3552,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "859 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6342b2b087554c9d5209b50b",
"name": "iphone",
"description": "",
"modified": "2022-11-09T00:03:32.403000",
"created": "2022-10-09T11:38:24.078000",
"tags": [],
"references": [
"iMessages.app"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "622775d4f2c38a89fdd0128a",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Lazzo115",
"id": "210949",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 306,
"URL": 1938,
"hostname": 808,
"FileHash-SHA256": 1768,
"FileHash-SHA1": 1
},
"indicator_count": 4821,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 8,
"modified_text": "1252 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6265af4c6414d087b17443cc",
"name": "google gmail account login source code for UK teenage account",
"description": "",
"modified": "2022-05-25T00:04:03.622000",
"created": "2022-04-24T20:13:00.304000",
"tags": [],
"references": [
"