{ "type": "URL", "indicator": "https://tor.terjan.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://tor.terjan.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2656352634, "indicator": "https://tor.terjan.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69a1a73eb0578b92962dae97", "name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?", "description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit", "modified": "2026-03-29T13:04:34.750000", "created": "2026-02-27T14:16:30.498000", "tags": [ "regopenkeyexw", "port", "destination", "cryptexportkey", "search", "show", "entries", "windows nt", "regsetvalueexa", "ip address", "malware", "copy", "write", "win32", "next", "format", "contacted", "less ip", "server", "organization", "city", "stateprovince", "postal code", "phone", "date", "registrar abuse", "privacy admin", "paris admin", "april", "february", "failed", "enter", "data upload", "passive dns", "urls", "aaaa", "certificate", "otx logo", "all hostname", "pulse submit", "url analysis", "files", "domain", "title", "body", "encrypt", "netherlands", "gmt content", "all ipv4", "amsterdam", "hetzner online", "gmbh", "summary", "url age", "de seen", "general info", "geo germany", "as as24940", "de note", "route", "direct", "pro platform", "logs", "suricata alert", "et info", "tls handshake", "bad traffic", "suricata alerts", "copy md5", "copy sha1", "copy sha256", "sha1", "size", "sha256", "pattern match", "ascii text", "mitre att", "ck id", "path", "unknown", "stop", "root", "hybrid", "general", "local", "form", "click", "strings", "9999", "learn", "adversaries", "name tactics", "suspicious", "informative", "command", "defense evasion", "spawns", "found", "show technique", "ck matrix", "href", "antivirus", "maktub locker", "tor status", "check" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1129, "domain": 148, "hostname": 753, "FileHash-SHA256": 548, "FileHash-MD5": 90, "FileHash-SHA1": 71, "SSLCertFingerprint": 8, "CIDR": 1, "email": 4 }, "indicator_count": 2752, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dd9423f9208dcc8701e12e", "name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic", "description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting", "modified": "2025-10-31T19:03:21.338000", "created": "2025-10-01T20:50:43.002000", "tags": [ "iocs", "logo", "passive dns", "related tags", "none google", "ipv4", "gogle", "twitter", "x.com", "ransomware", "fbi \u2019site\u2019", "python", "cloud", "regopenkeyexw", "read c", "port", "destination", "cryptexportkey", "count read", "tor get", "malware", "write", "format", "redacted for", "server", "privacy tech", "privacy admin", "country", "postal code", "organization", "date", "email", "code", "aaaa", "value a", "key identifier", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "maktub", "cnc", "python-projekt", "x post", "link", "android", "iphone", "google", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "mitre att", "show technique", "ck matrix", "title", "path", "hybrid", "general", "local", "form", "click", "strings", "body" ], "references": [ "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Entity CLOUD14", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Yara Detections: stack_string Alerts: dead_host", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Code Virus Ransomware", "display_name": "Code Virus Ransomware", "target": null }, { "id": "AVAST- Win32:Filecoder-AD\\ [Trj]", "display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]", "target": null }, { "id": "CLAMAV - Win.Malware.Cabby-6803812", "display_name": "CLAMAV - Win.Malware.Cabby-6803812", "target": null }, { "id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 574, "domain": 147, "FileHash-MD5": 156, "FileHash-SHA1": 130, "FileHash-SHA256": 539, "URL": 982, "SSLCertFingerprint": 4, "email": 2 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66dfa5a84844f3703fea6b84", "name": "Maktub Locker Ransomware", "description": "Maktub Locker Ransomware is old, works and arrives to victims like typical ransomware. I . I'm can't make a valuable contribution regarding link that populates fbi.gov node without security header. . Tulach -114.114.114.114 is at the center of most of the vulnerabilities I've researched. I've removed Tsara Brashears and name and organizations relating Brian Sabey from pulse. VT Alexo auto populated in tags. Internet search shows he referenced link and 'black suits' I did not research VT-Alexo and I don't know his significance to the Ransomware link [link appears 1st in references]. \nThere has been so much government, healthcare, legal, and law enforcement entanglement and/or/likely impersonation regarding a main issue I've been researching. Lost in this moment...", "modified": "2024-10-09T21:01:40.228000", "created": "2024-09-10T01:49:28.437000", "tags": [ "axeljg", "kulinskiarkadi", "ip hostname", "reverse ip", "united", "regopenkeyexw", "cryptexportkey", "regsetvalueexa", "ip address", "medium", "regdword", "t1047", "instrumentation", "rpcs", "high", "win32", "malware", "showing", "entries disa", "entrypoint", "fbi.gov", "alexo", "germany", "united states", "brian sabey", "thebrotherssabey", "alexo virustotal", "yara detections", "ids detections", "contacted", "show", "medium windows", "alerts", "maktub locker", "tsara brashness dead", "aig", "soc", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "compiler", "vs2008", "vs2005", "contained", "info compiler", "products", "vs2008 sp1", "header intel", "name md5", "type", "language", "virus", "urls", "javascript", "b file", "files", "file type", "rich text", "format", "found", "downloads", "injection t1055", "spawns", "t1497 may", "https", "mitre att", "ta0002 shared", "modules t1129", "window", "get file", "check mutex", "print debug", "get disk", "check", "enumerate gui", "create mutex", "query", "enumerate", "create shortcut", "capture", "get http", "windows nt", "request", "response", "number", "algorithm", "ja3s", "cus cnr3", "subject", "http requests", "samplepath", "runtime modules", "referrer", "threat network", "infrastructure", "historical ssl", "approach", "ta413", "tibetan targets", "vy binh", "march", "tulach", "114.114.114.114", "libreoffice.org", "as174 cogent", "china unknown", "china", "passive dns", "entries", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "twitter", "problems", "domainabuse", "creation date", "search", "domain", "domain name", "expiration date", "nanjing", "date", "all search", "trojan", "trojan features", "related pulses", "file samples", "files matching", "sort" ], "references": [ "Ransomware\u00bbTrojanDownloader:Win32/Dalexis | FileHash-SHA256 01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "Antivirus Detections Win32:Filecoder-AD\\ [Trj] , Win.Malware.Cabby-6803812-0 , TrojanDownloader:Win32/Dalexis!rfn!rfn", "IDS Detections: Maktub Locker TOR Status Check TOR Consensus Data Requested TOR 1.0 Server Key Retrieval Tor Get Server Request TLS Handshake", "Domains Contacted: fbi.gov", "IP\u2019s Contacted: 104.16.149.244 128.31.0.39 131.188.40.189 14.200.177.98 148.251.79.57", "IP\u2019s Contacted: 185.220.100.255 199.249.230.142 199.254.238.52 23.128.248.20 45.58.156.76", "tulach.cc| 114.114.114.114 [public1.114dns.com] | thebrotherssabey | bian sabey under multiple WP & DGA domains , various titles , various roles", "External Hosts Top Country United States, Germany | IP Hostname: 104.16.149.244: fbi.gov | United States: AS13335 cloudflare", "Type Indicator Reason: IPv4 104.16.149.244 In CDN range: provider=cloudflare IPv4 131.188.40.189 IP Associated with Tor Exit Nodes", "Type Indicator Reason: IPv4 192.168.56.108 Private IP Address: IPv4 46.20.35.112 IP Associated with Tor Exit Nodes: Domain: fbi.gov", "PE Anomalies: entropy_based | Yara Detections: Yara Detections stack_string | Stack_String: stack_string E\u000fEEEE\u000fEEEE\u000fEEEE\u000fEEEE\u000fEE\u000fEE\u000fEE\u000fEE\u000f", "DISA Entrypoint: call 0x41259b jmp 0x40b3ac int3 int3 int3 int3 int3 int3 int3 int3", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http packer_entropy", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters raises_exception", "Alerts: queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name", "Interesting Strings: http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/sType/ResourceRef", "Interesting Strings: http://www.w3.org/1999/02/22", "Virus: \"ba30376f915afa868763f84299fae5d2.virus.rtf - LibreOffice Writer\"", "Cryptographical plain text c\ufffdh\u000f\u00107\ufffd\ufffd1Q\ufffd\u0286\ufffd\u0254E\ufffdW\u0014\ufffd\u0382\ufffd Rw\ufffde\ufffd\ufffd%\u000b\ufffd\ufffd\ufffdreudt\ufffd\ufffd\ufffd", "IDS: Matches rule ET JA3 Hash - Possible Malware - Dridex", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 129, 750, 824, 439, 282, 820, 21 , 63, 896, 91, 11, 202, 684 919,31 ,156, 743", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 869, 42, 6, 443, 85, 416, 688, 117, 217, 217, 443, 709, 703, 879, 338, 682", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule (http_inspect) white space before or between HTTP messages Matches rule SURICATA HTTP Request abnormal Content-Encoding", "Sigma: Matches rule Failed Code Integrity Checks by Thomas Patzke Matches rule Process Creation Using Sysnative Folder by Max Altgelt", "YARA Signature Match - THOR APT Scanner - RULE_AUTHOR: Florian Roth", "RULE: MAL_Agent_May20_1 RULE_SET: Livehunt - Default22 Indicators RULE_TYPE: VALHALLA rule feed only \u26a1- RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/MAL_Agent_May20_1 DESCRIPTION:", "Detects malware used in activity noticed 05/2020 likely related to Chinese actor", "REFERENCE: ACSC IOCs May 2020 pivoting RULE_AUTHOR: Florian Roth", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "114.114.114.114 IDS Detections DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work", "IP 114.114.114.114 Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB ,", "IP 114.114.114.114 Antivirus Detections: ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:MSIL/AgentTesla.KM , ALFPER:RefLoadApiHash ,", "IP 114.114.114.114 Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Can't access file ,", "IP 114.114.114.114 Antivirus Detections: Trojan:Win32/Magania.DSK!MTB , TEL:SIGATTR:CreateRemoteThread", "IP 114.114.114.114 Domain 114dns.com: PegasusPlus", "Emails: pegasusplus@gmail.com Name: Zhao Zhenping Name Servers: NS1000.114DNS.COM Org: Nanjing XinFeng Network Technologies, Inc.", "Address:\tRoom 301, Building 3B, Startup park, High Tech park, Shiyang Road 56, Baixia District, Nanjing, Jiangsu, China City nan jing shi Country", "https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-dangerous/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China" ], "malware_families": [ { "id": "Maktub Locker", "display_name": "Maktub Locker", "target": null }, { "id": "TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/TrojanDownloader:Win32/Dalexis!rfn!rfn" }, { "id": "Trojan:Win32/Magania", "display_name": "Trojan:Win32/Magania", "target": "/malware/Trojan:Win32/Magania" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Government", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 182, "FileHash-SHA1": 199, "FileHash-SHA256": 2383, "domain": 395, "URL": 1382, "hostname": 699, "email": 2, "CVE": 1 }, "indicator_count": 5243, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "557 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Virus: \"ba30376f915afa868763f84299fae5d2.virus.rtf - LibreOffice Writer\"", "IP\u2019s Contacted: 104.16.149.244 128.31.0.39 131.188.40.189 14.200.177.98 148.251.79.57", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "IDS: Matches rule (http_inspect) white space before or between HTTP messages Matches rule SURICATA HTTP Request abnormal Content-Encoding", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "Sigma: Matches rule Failed Code Integrity Checks by Thomas Patzke Matches rule Process Creation Using Sysnative Folder by Max Altgelt", "114.114.114.114 IDS Detections DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work", "IP 114.114.114.114 Domain 114dns.com: PegasusPlus", "Interesting Strings: http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/sType/ResourceRef", "IDS: Matches rule ET JA3 Hash - Possible Malware - Dridex", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "Antivirus Detections Win32:Filecoder-AD\\ [Trj] , Win.Malware.Cabby-6803812-0 , TrojanDownloader:Win32/Dalexis!rfn!rfn", "IP\u2019s Contacted: 185.220.100.255 199.249.230.142 199.254.238.52 23.128.248.20 45.58.156.76", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "YARA Signature Match - THOR APT Scanner - RULE_AUTHOR: Florian Roth", "Type Indicator Reason: IPv4 104.16.149.244 In CDN range: provider=cloudflare IPv4 131.188.40.189 IP Associated with Tor Exit Nodes", "RULE: MAL_Agent_May20_1 RULE_SET: Livehunt - Default22 Indicators RULE_TYPE: VALHALLA rule feed only \u26a1- RULE_AUTHOR: Florian Roth", "Detects malware used in activity noticed 05/2020 likely related to Chinese actor", "IP 114.114.114.114 Antivirus Detections: ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:MSIL/AgentTesla.KM , ALFPER:RefLoadApiHash ,", "IP 114.114.114.114 Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Can't access file ,", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "PE Anomalies: entropy_based | Yara Detections: Yara Detections stack_string | Stack_String: stack_string E\u000fEEEE\u000fEEEE\u000fEEEE\u000fEEEE\u000fEE\u000fEE\u000fEE\u000fEE\u000f", "Ransomware\u00bbTrojanDownloader:Win32/Dalexis | FileHash-SHA256 01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "Yara Detections: stack_string Alerts: dead_host", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Cryptographical plain text c\ufffdh\u000f\u00107\ufffd\ufffd1Q\ufffd\u0286\ufffd\u0254E\ufffdW\u0014\ufffd\u0382\ufffd Rw\ufffde\ufffd\ufffd%\u000b\ufffd\ufffd\ufffdreudt\ufffd\ufffd\ufffd", "https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-dangerous/", "Type Indicator Reason: IPv4 192.168.56.108 Private IP Address: IPv4 46.20.35.112 IP Associated with Tor Exit Nodes: Domain: fbi.gov", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "DISA Entrypoint: call 0x41259b jmp 0x40b3ac int3 int3 int3 int3 int3 int3 int3 int3", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/MAL_Agent_May20_1 DESCRIPTION:", "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters raises_exception", "Emails: pegasusplus@gmail.com Name: Zhao Zhenping Name Servers: NS1000.114DNS.COM Org: Nanjing XinFeng Network Technologies, Inc.", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 869, 42, 6, 443, 85, 416, 688, 117, 217, 217, 443, 709, 703, 879, 338, 682", "tulach.cc| 114.114.114.114 [public1.114dns.com] | thebrotherssabey | bian sabey under multiple WP & DGA domains , various titles , various roles", "Interesting Strings: http://www.w3.org/1999/02/22", "IP 114.114.114.114 Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB ,", "External Hosts Top Country United States, Germany | IP Hostname: 104.16.149.244: fbi.gov | United States: AS13335 cloudflare", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Alerts: queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "IDS Detections: Maktub Locker TOR Status Check TOR Consensus Data Requested TOR 1.0 Server Key Retrieval Tor Get Server Request TLS Handshake", "Address:\tRoom 301, Building 3B, Startup park, High Tech park, Shiyang Road 56, Baixia District, Nanjing, Jiangsu, China City nan jing shi Country", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 129, 750, 824, 439, 282, 820, 21 , 63, 896, 91, 11, 202, 684 919,31 ,156, 743", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http packer_entropy", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "REFERENCE: ACSC IOCs May 2020 pivoting RULE_AUTHOR: Florian Roth", "IP 114.114.114.114 Antivirus Detections: Trojan:Win32/Magania.DSK!MTB , TEL:SIGATTR:CreateRemoteThread", "Domains Contacted: fbi.gov", "Entity CLOUD14" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojandownloader:win32/dalexis!rfn!rfn", "Trojan:win32/magania", "Clamav - win.malware.cabby-6803812", "Ms defender - trojandownloader:win32/dalexis!rfn!rfn", "Maktub locker", "Avast- win32:filecoder-ad\\ [trj]", "Code virus ransomware" ], "industries": [ "Technology", "Telecommunications", "Government" ], "unique_indicators": 9165 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/terjan.net", "whois": "http://whois.domaintools.com/terjan.net", "domain": "terjan.net", "hostname": "tor.terjan.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69a1a73eb0578b92962dae97", "name": "FBI Link (Ransomware)sent to a device. opened on its own. Why?", "description": "I wouldn\u2019t typically search an alleged authentic government site , except it opened on a device, no prompt. TrojanDownloader:Win32/Dalexis!rfn!rfn\nIDS Detections\nMaktub Locker TOR Status Check\nTOR Consensus Data Requested\nTOR 1.0 Server Key Retrieval\nTor Get Server Request\nTLS Handshake Failure\nYara Detections\nstack_string\nWho is : [URL\n[https://tor-dirauth.sebastianhahn.net/]\n[https://tor.sebastianhahn.net]\n[tor-dirauth.sebastianhahn.net]\n->gitbot.faui2k9.de\n[Status faui2k9.de -connect] connects to device \n100% Malicious | https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70 | [External resources discovered in HTML content:\ndap.digitalgov.gov | Pattern match: \"fbi.gov/contact-us/field-offices/denver/news/pr\"\nHeuristic match: \"x.com\" | will revisit", "modified": "2026-03-29T13:04:34.750000", "created": "2026-02-27T14:16:30.498000", "tags": [ "regopenkeyexw", "port", "destination", "cryptexportkey", "search", "show", "entries", "windows nt", "regsetvalueexa", "ip address", "malware", "copy", "write", "win32", "next", "format", "contacted", "less ip", "server", "organization", "city", "stateprovince", "postal code", "phone", "date", "registrar abuse", "privacy admin", "paris admin", "april", "february", "failed", "enter", "data upload", "passive dns", "urls", "aaaa", "certificate", "otx logo", "all hostname", "pulse submit", "url analysis", "files", "domain", "title", "body", "encrypt", "netherlands", "gmt content", "all ipv4", "amsterdam", "hetzner online", "gmbh", "summary", "url age", "de seen", "general info", "geo germany", "as as24940", "de note", "route", "direct", "pro platform", "logs", "suricata alert", "et info", "tls handshake", "bad traffic", "suricata alerts", "copy md5", "copy sha1", "copy sha256", "sha1", "size", "sha256", "pattern match", "ascii text", "mitre att", "ck id", "path", "unknown", "stop", "root", "hybrid", "general", "local", "form", "click", "strings", "9999", "learn", "adversaries", "name tactics", "suspicious", "informative", "command", "defense evasion", "spawns", "found", "show technique", "ck matrix", "href", "antivirus", "maktub locker", "tor status", "check" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1129, "domain": 148, "hostname": 753, "FileHash-SHA256": 548, "FileHash-MD5": 90, "FileHash-SHA1": 71, "SSLCertFingerprint": 8, "CIDR": 1, "email": 4 }, "indicator_count": 2752, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dd9423f9208dcc8701e12e", "name": "Maktub Locker TOR Status Check \u2022 Cab \\ Drive by( dbi.com) Malicious pic", "description": "After 911 told me I was bounced to the Denver, Co Station 5 , located 45 & Peoria in Denver , Colorado , not even close. \nThe phone number changed, only 911 access. Clue: I saw an Amber alert in n target phone when I powered it on. No all notices always turned off. Made a call\non contact list and screen changed to a plain faced interface. \n\nAfter finding a mother foundry link on targets phone I grew curious about a CEO\u2019s strange story of Palantir\u2019s Karp Theil roommate situation in Law School but I could only find one picture on of them on a campus in their late 40\u2019s. He\u2019s African American mixed. The picture of his mother in hacked phone is 215 yo. No information federal oversight as CEO right? Or limited information on crazy hacked device? \n\nClicked on link then OMGness\n\n#whatIfind #onhackeddevice #targeting", "modified": "2025-10-31T19:03:21.338000", "created": "2025-10-01T20:50:43.002000", "tags": [ "iocs", "logo", "passive dns", "related tags", "none google", "ipv4", "gogle", "twitter", "x.com", "ransomware", "fbi \u2019site\u2019", "python", "cloud", "regopenkeyexw", "read c", "port", "destination", "cryptexportkey", "count read", "tor get", "malware", "write", "format", "redacted for", "server", "privacy tech", "privacy admin", "country", "postal code", "organization", "date", "email", "code", "aaaa", "value a", "key identifier", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "maktub", "cnc", "python-projekt", "x post", "link", "android", "iphone", "google", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "size", "mitre att", "show technique", "ck matrix", "title", "path", "hybrid", "general", "local", "form", "click", "strings", "body" ], "references": [ "FBI.GOV - VT I\u2019m looking @ says website is legitimate & not misused - hmm", "Entity CLOUD14", "CLOUDFLARENET - 104.16.148.244 , 104.19.148.244", "https://otx.alienvault.com/indicator/file/ba30376f915afa868763f84299fae5d2", "https://hybrid-analysis.com/sample/f2b943e81f1b284cf9dabb4ff156526a02ecca485ac117714867d92b262c8fdd/68dd867e3bc50d9068072c05", "Hashtags left on Hybrid Analysis (above) weren\u2019t posted by me", "Maktub Locker TOR Status Check \u2022 TOR Consensus Data Requested \u2022 TOR 1.0 Server Key Retrieval", "Tor Get Server Request \u2022 TLS Handshake Failure High Priority", "Yara Detections: stack_string Alerts: dead_host", "Alerts: network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters", "Alerts: packer_entropy queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name raises_exception" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Code Virus Ransomware", "display_name": "Code Virus Ransomware", "target": null }, { "id": "AVAST- Win32:Filecoder-AD\\ [Trj]", "display_name": "AVAST- Win32:Filecoder-AD\\ [Trj]", "target": null }, { "id": "CLAMAV - Win.Malware.Cabby-6803812", "display_name": "CLAMAV - Win.Malware.Cabby-6803812", "target": null }, { "id": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/Ms Defender - TrojanDownloader:Win32/Dalexis!rfn!rfn" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 574, "domain": 147, "FileHash-MD5": 156, "FileHash-SHA1": 130, "FileHash-SHA256": 539, "URL": 982, "SSLCertFingerprint": 4, "email": 2 }, "indicator_count": 2534, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66dfa5a84844f3703fea6b84", "name": "Maktub Locker Ransomware", "description": "Maktub Locker Ransomware is old, works and arrives to victims like typical ransomware. I . I'm can't make a valuable contribution regarding link that populates fbi.gov node without security header. . Tulach -114.114.114.114 is at the center of most of the vulnerabilities I've researched. I've removed Tsara Brashears and name and organizations relating Brian Sabey from pulse. VT Alexo auto populated in tags. Internet search shows he referenced link and 'black suits' I did not research VT-Alexo and I don't know his significance to the Ransomware link [link appears 1st in references]. \nThere has been so much government, healthcare, legal, and law enforcement entanglement and/or/likely impersonation regarding a main issue I've been researching. Lost in this moment...", "modified": "2024-10-09T21:01:40.228000", "created": "2024-09-10T01:49:28.437000", "tags": [ "axeljg", "kulinskiarkadi", "ip hostname", "reverse ip", "united", "regopenkeyexw", "cryptexportkey", "regsetvalueexa", "ip address", "medium", "regdword", "t1047", "instrumentation", "rpcs", "high", "win32", "malware", "showing", "entries disa", "entrypoint", "fbi.gov", "alexo", "germany", "united states", "brian sabey", "thebrotherssabey", "alexo virustotal", "yara detections", "ids detections", "contacted", "show", "medium windows", "alerts", "maktub locker", "tsara brashness dead", "aig", "soc", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "compiler", "vs2008", "vs2005", "contained", "info compiler", "products", "vs2008 sp1", "header intel", "name md5", "type", "language", "virus", "urls", "javascript", "b file", "files", "file type", "rich text", "format", "found", "downloads", "injection t1055", "spawns", "t1497 may", "https", "mitre att", "ta0002 shared", "modules t1129", "window", "get file", "check mutex", "print debug", "get disk", "check", "enumerate gui", "create mutex", "query", "enumerate", "create shortcut", "capture", "get http", "windows nt", "request", "response", "number", "algorithm", "ja3s", "cus cnr3", "subject", "http requests", "samplepath", "runtime modules", "referrer", "threat network", "infrastructure", "historical ssl", "approach", "ta413", "tibetan targets", "vy binh", "march", "tulach", "114.114.114.114", "libreoffice.org", "as174 cogent", "china unknown", "china", "passive dns", "entries", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "twitter", "problems", "domainabuse", "creation date", "search", "domain", "domain name", "expiration date", "nanjing", "date", "all search", "trojan", "trojan features", "related pulses", "file samples", "files matching", "sort" ], "references": [ "Ransomware\u00bbTrojanDownloader:Win32/Dalexis | FileHash-SHA256 01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "Antivirus Detections Win32:Filecoder-AD\\ [Trj] , Win.Malware.Cabby-6803812-0 , TrojanDownloader:Win32/Dalexis!rfn!rfn", "IDS Detections: Maktub Locker TOR Status Check TOR Consensus Data Requested TOR 1.0 Server Key Retrieval Tor Get Server Request TLS Handshake", "Domains Contacted: fbi.gov", "IP\u2019s Contacted: 104.16.149.244 128.31.0.39 131.188.40.189 14.200.177.98 148.251.79.57", "IP\u2019s Contacted: 185.220.100.255 199.249.230.142 199.254.238.52 23.128.248.20 45.58.156.76", "tulach.cc| 114.114.114.114 [public1.114dns.com] | thebrotherssabey | bian sabey under multiple WP & DGA domains , various titles , various roles", "External Hosts Top Country United States, Germany | IP Hostname: 104.16.149.244: fbi.gov | United States: AS13335 cloudflare", "Type Indicator Reason: IPv4 104.16.149.244 In CDN range: provider=cloudflare IPv4 131.188.40.189 IP Associated with Tor Exit Nodes", "Type Indicator Reason: IPv4 192.168.56.108 Private IP Address: IPv4 46.20.35.112 IP Associated with Tor Exit Nodes: Domain: fbi.gov", "PE Anomalies: entropy_based | Yara Detections: Yara Detections stack_string | Stack_String: stack_string E\u000fEEEE\u000fEEEE\u000fEEEE\u000fEEEE\u000fEE\u000fEE\u000fEE\u000fEE\u000f", "DISA Entrypoint: call 0x41259b jmp 0x40b3ac int3 int3 int3 int3 int3 int3 int3 int3", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32", "Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http packer_entropy", "Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters raises_exception", "Alerts: queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name", "Interesting Strings: http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/sType/ResourceRef", "Interesting Strings: http://www.w3.org/1999/02/22", "Virus: \"ba30376f915afa868763f84299fae5d2.virus.rtf - LibreOffice Writer\"", "Cryptographical plain text c\ufffdh\u000f\u00107\ufffd\ufffd1Q\ufffd\u0286\ufffd\u0254E\ufffdW\u0014\ufffd\u0382\ufffd Rw\ufffde\ufffd\ufffd%\u000b\ufffd\ufffd\ufffdreudt\ufffd\ufffd\ufffd", "IDS: Matches rule ET JA3 Hash - Possible Malware - Dridex", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 129, 750, 824, 439, 282, 820, 21 , 63, 896, 91, 11, 202, 684 919,31 ,156, 743", "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 869, 42, 6, 443, 85, 416, 688, 117, 217, 217, 443, 709, 703, 879, 338, 682", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval", "IDS: Matches rule (http_inspect) white space before or between HTTP messages Matches rule SURICATA HTTP Request abnormal Content-Encoding", "Sigma: Matches rule Failed Code Integrity Checks by Thomas Patzke Matches rule Process Creation Using Sysnative Folder by Max Altgelt", "YARA Signature Match - THOR APT Scanner - RULE_AUTHOR: Florian Roth", "RULE: MAL_Agent_May20_1 RULE_SET: Livehunt - Default22 Indicators RULE_TYPE: VALHALLA rule feed only \u26a1- RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/MAL_Agent_May20_1 DESCRIPTION:", "Detects malware used in activity noticed 05/2020 likely related to Chinese actor", "REFERENCE: ACSC IOCs May 2020 pivoting RULE_AUTHOR: Florian Roth", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "114.114.114.114 IDS Detections DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work", "IP 114.114.114.114 Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB ,", "IP 114.114.114.114 Antivirus Detections: ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:MSIL/AgentTesla.KM , ALFPER:RefLoadApiHash ,", "IP 114.114.114.114 Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Can't access file ,", "IP 114.114.114.114 Antivirus Detections: Trojan:Win32/Magania.DSK!MTB , TEL:SIGATTR:CreateRemoteThread", "IP 114.114.114.114 Domain 114dns.com: PegasusPlus", "Emails: pegasusplus@gmail.com Name: Zhao Zhenping Name Servers: NS1000.114DNS.COM Org: Nanjing XinFeng Network Technologies, Inc.", "Address:\tRoom 301, Building 3B, Startup park, High Tech park, Shiyang Road 56, Baixia District, Nanjing, Jiangsu, China City nan jing shi Country", "https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-dangerous/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China" ], "malware_families": [ { "id": "Maktub Locker", "display_name": "Maktub Locker", "target": null }, { "id": "TrojanDownloader:Win32/Dalexis!rfn!rfn", "display_name": "TrojanDownloader:Win32/Dalexis!rfn!rfn", "target": "/malware/TrojanDownloader:Win32/Dalexis!rfn!rfn" }, { "id": "Trojan:Win32/Magania", "display_name": "Trojan:Win32/Magania", "target": "/malware/Trojan:Win32/Magania" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Government", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 182, "FileHash-SHA1": 199, "FileHash-SHA256": 2383, "domain": 395, "URL": 1382, "hostname": 699, "email": 2, "CVE": 1 }, "indicator_count": 5243, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "557 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://tor.terjan.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://tor.terjan.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776640781.563784 }