{ "type": "URL", "indicator": "https://update.phpts.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://update.phpts.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3783373766, "indicator": "https://update.phpts.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "861 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65574cb4447c8d87ad85fa75", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:24.343000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65574cbe6bdbe24ecb170b24", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:34.083000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c1516990d69644fb3d0", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:57.372000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c17e69371b34a573f72", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:59.619000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.sos.state.co/ [interesting]", "watson.telemetry.microsoft.us [Data traffic manager]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "http://www.screensaver.com/ruxitbeacon", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "https://www.apple.com/qtactivex/qtplugin.cab", "http://dns1.whitelist.camect.com [interesting]", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "https://www.jbits.courts.state.co [interesting]", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "20.190.160.73 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "www.anyxxxtube.net [tracking]", "Crowdsourced YARA Rulesets", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "20.190.160.2 Microsoft [exploit_source]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Webtoolbar", "Maltiverse", "Beach research", "Malware", "Tulach", "Apple" ], "industries": [ "Nutritional", "Health", "Medical", "Medicine" ], "unique_indicators": 42784 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/phpts.com", "whois": "http://whois.domaintools.com/phpts.com", "domain": "phpts.com", "hostname": "update.phpts.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "861 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65574cb4447c8d87ad85fa75", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:24.343000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65574cbe6bdbe24ecb170b24", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:34.083000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c1516990d69644fb3d0", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:57.372000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c17e69371b34a573f72", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:59.619000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://update.phpts.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://update.phpts.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780223560.8609877 }