{ "type": "URL", "indicator": "https://w.location.search/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://w.location.search/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3825298998, "indicator": "https://w.location.search/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "757 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e576d419524d75af35a36e", "name": "FormBook", "description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:23:00.177000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e57f32581a900dfb272d05", "name": "FormBook | 172.31.13.249", "description": "", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:58:42.074000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": "65e576d419524d75af35a36e", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ca2c15ef8b75bd6e216604", "name": "Does this help?", "description": "A guide to the key words and phrases used to describe a Facebook user's identity, as well as the language they use to express their desire to use the social networking site, and the answers to some of them.", "modified": "2024-03-13T14:03:24.834000", "created": "2024-02-12T14:32:53.743000", "tags": [ "your request", "email", "password forgot", "sign up", "return home", "english", "espaol franais", "france", "portugus", "brasil", "meta", "helvetica", "input", "neue", "arial", "neue medium", "neue light", "f7f8fa", "e4e6eb", "span", "fbpkgdelim", "https", "intlsavelocale", "help", "lite", "marketplace", "fundraisers", "careers", "facebook search", "clear", "facebook", "date", "null", "image", "math", "avozjyab7ng", "typesearch", "article", "sans", "helvetica neue", "sansseriflight", "symbol", "iterator", "fblogger", "typeerror", "sitedata", "errorguard", "timeslice", "typeof", "arbiter", "error", "blank", "phase", "firefox", "phone", "iemobile", "create", "connect", "forgot password", "page", "website", "cookie", "banzai", "falcoutils", "random", "cookiecore", "persistedqueue", "clock", "mcss", "mevent", "number", "urlsearchparams", "internalenum", "banzailogger", "97hz", "messagereceived", "mdom", "stratcom", "mviewport", "mhistory", "mpagecache", "muri", "scriptpath", "mvector", "keys", "kaioscontroller", "webstorage", "portaltv", "timesliceimpl", "serverjs", "mrun", "murigo", "promiseimpl", "mdatastore", "mdtsg", "mdtsgasync", "4328", "5540", "bigpipe", "5954", "6972", "usidmetadata", "ps8qy011yx6dcb", "5888", "3904", "4806", "6687", "eventconfig", "default5000", "zekacv", "fbtlogging", "dvatkzf", "banzaibase", "mgetfbtresult", "mfbjson", "meventlistener", "u0001", "i9zo81o", "5943", "addressbar", "banzaiadapter", "intlvariations", "uint8array", "websession", "boolean", "void", "shutdown", "mpagecontroller", "mstopngo", "javelinhistory", "mhome", "errorutils" ], "references": [ "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css", "https://static.xx.fbcdn.net/rsrc.php/v3/yw/l/0,cross/CXjTiRbc_8T.css?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/3eq9Oo5XUhW.js?_nc_x=Ij3Wp8lg5Kz", "https://m.facebook.com/", "https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/1pdBd6ULIhq.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3iLQG4/yB/l/en_US/ZrB35JaC5Ph.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3iLl54/yO/l/en_US/9t3PW1CRLNe.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/FtcggJWVWTF.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y3/r/U86edKxQdCC.js?_nc_x=Ij3Wp8lg5K", "https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/FMIZEwefrSt.js?_nc_x=Ij3Wp8lg5Kz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tyfdyT-3xafve-momsos", "id": "228887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 94, "domain": 28, "hostname": 55, "FileHash-SHA1": 1, "FileHash-MD5": 1, "FileHash-SHA256": 2 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ca380d2d92d403572c6ba5", "name": "Ummm yeah.", "description": "E-mail: e-bryderon-e-satellite-to-be, \u00c2\u00a31.5m, to be used as a link to the International Space Station.", "modified": "2024-03-13T14:03:24.834000", "created": "2024-02-12T15:23:57.994000", "tags": [ "timesliceimpl", "serverjs", "mrun", "murigo", "promiseimpl", "mdatastore", "mdtsg", "mdtsgasync", "avqvwtpup1i", "timeslice", "4328", "5540", "zekacv", "fbtlogging", "mfbjson", "banzaibase", "mgetfbtresult", "meventlistener", "u0001", "v3ugoou", "nskv1me", "5943", "addressbar", "mcss", "mevent", "3904", "6687", "eventconfig", "default5000", "min100", "1726", "gmt connection", "status code", "bad request", "http response", "date", "null", "image", "math", "avozjyabfg0", "moved", "found", "gmt altsvc", "avozjyabbdg", "symbol", "facebook", "the software", "facebook pixel", "error", "pixel code", "copyright", "apis", "policy", "http", "scriptpath", "banzai", "clickrefutils", "arbiter", "persistedqueue", "void", "sessionname", "event", "websession", "cookie", "xcontroller", "bool", "ignoredynamic", "cssimg", "herotracinghold", "ignore", "loadingstate", "mediavcimage", "graphik lcg", "graphik arabic", "web regular", "helvetica neue", "helvetica", "arial", "lucida grande", "sansserif", "fbpkgdelim", "runblue", "asyncrequest", "runwww", "fbjson", "dtsg", "dtsgasync", "2915", "pageview", "init", "675141479195042", "574561515946252", "z m82", "post", "edit", "edited", "view" ], "references": [ "https://connect.facebook.net/signals/config/1916681798651990?v=2.9.145&r=stable&domain=developers.facebook.com&hme=20c913bdcd4be51a752120153aa5caaecb3ee86c7f26cf737846e40b202aba68&ex_m=62%2C106%2C94%2C98%2C53%2C3%2C88%2C61%2C14%2C86%2C79%2C44%2C46%2C150%2C153%2C164%2C160%2C161%2C163%2C25%2C89%2C45%2C68%2C162%2C145%2C148%2C157%2C158%2C165%2C115%2C13%2C43%2C169%2C168%2C117%2C16%2C29%2C32%2C1%2C36%2C57%2C58%2C59%2C63%2C83%2C15%2C12%2C85%2C82%2C81%2C95%2C97%2C31%2C96%2C26%2C22%2C146%2C149%2C124%2C24%2C9%2C10%2C", "https://static.xx.fbcdn.net/rsrc.php/v3ihVQ4/y0/l/en_US/vPxpLcwHX7V.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/yq/r/zrtbGCoE-kJ.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y9/r/fRsOvQa49Br.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/fngpW-FrVhd.css?_nc_x=Ij3Wp8lg", "https://www.facebook.com/tr?id=675141479195042&ev=PageView&noscript=1", "https://scontent.fyvr2-1.fna.fbcdn.net/v/t39.2365-6/294896942_578136803798152_4396611467422003184_n.svg?_nc_cat=103&ccb=1-7&_nc_sid=e280be&_nc_ohc=l4z2NxVw9_sAX-QewmZ&_nc_ht=scontent.fyvr2-1.fna&oh=00_AfBu307FrljF61Vlh4c5Eae47KPEcNtpMh1M898a_io5vA&oe=65E4786D", "https://static.xx.fbcdn.net/rsrc.php/y-/r/hmcZxtXAtYh.svg", "https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/fngpW-FrVhd.css?_nc_x=Ij3Wp8lg5Kz", "https://static.cdninstagram.com/rsrc.php/v3iWID4/yC/l/en_US/43Mqev6Q9CU.js?_nc_x=Ij3Wp8lg5Kz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tyfdyT-3xafve-momsos", "id": "228887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "hostname": 70, "FileHash-MD5": 1, "URL": 161 }, "indicator_count": 250, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c994c8b145925072b6583a", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov", "description": "Link found active in https://house.mo.gov. \nhttps://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1 |", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-12T03:47:20.138000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab679e6ff8544ecf11962", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov ", "description": "", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-13T00:23:21.062000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": "65c994c8b145925072b6583a", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Login privileges", "https://m.facebook.com/", "https://connect.facebook.net/signals/config/1916681798651990?v=2.9.145&r=stable&domain=developers.facebook.com&hme=20c913bdcd4be51a752120153aa5caaecb3ee86c7f26cf737846e40b202aba68&ex_m=62%2C106%2C94%2C98%2C53%2C3%2C88%2C61%2C14%2C86%2C79%2C44%2C46%2C150%2C153%2C164%2C160%2C161%2C163%2C25%2C89%2C45%2C68%2C162%2C145%2C148%2C157%2C158%2C165%2C115%2C13%2C43%2C169%2C168%2C117%2C16%2C29%2C32%2C1%2C36%2C57%2C58%2C59%2C63%2C83%2C15%2C12%2C85%2C82%2C81%2C95%2C97%2C31%2C96%2C26%2C22%2C146%2C149%2C124%2C24%2C9%2C10%2C", "https://www.facebooksunglassshop.com [pegasus related]", "172.31.13.249", "https://static.cdninstagram.com/rsrc.php/v3iWID4/yC/l/en_US/43Mqev6Q9CU.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3ihVQ4/y0/l/en_US/vPxpLcwHX7V.js?_nc_x=Ij3Wp8lg5Kz", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://static.xx.fbcdn.net/rsrc.php/y-/r/hmcZxtXAtYh.svg", "https://static.xx.fbcdn.net/rsrc.php/v3iLQG4/yB/l/en_US/ZrB35JaC5Ph.js?_nc_x=Ij3Wp8lg5Kz", "gstatic.com", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/FtcggJWVWTF.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3iLl54/yO/l/en_US/9t3PW1CRLNe.js?_nc_x=Ij3Wp8lg5Kz", "Unsupported/Fake Windows NT Version 5.0", "https://static.xx.fbcdn.net/rsrc.php/v3/yw/l/0,cross/CXjTiRbc_8T.css?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y3/r/U86edKxQdCC.js?_nc_x=Ij3Wp8lg5K", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "https://static.xx.fbcdn.net/rsrc.php/v3/yq/r/zrtbGCoE-kJ.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/1pdBd6ULIhq.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y9/r/fRsOvQa49Br.js?_nc_x=Ij3Wp8lg5Kz", "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebook.com/tr?id=675141479195042&ev=PageView&noscript=1", "https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/fngpW-FrVhd.css?_nc_x=Ij3Wp8lg", "https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/FMIZEwefrSt.js?_nc_x=Ij3Wp8lg5Kz", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://scontent.fyvr2-1.fna.fbcdn.net/v/t39.2365-6/294896942_578136803798152_4396611467422003184_n.svg?_nc_cat=103&ccb=1-7&_nc_sid=e280be&_nc_ohc=l4z2NxVw9_sAX-QewmZ&_nc_ht=scontent.fyvr2-1.fna&oh=00_AfBu307FrljF61Vlh4c5Eae47KPEcNtpMh1M898a_io5vA&oe=65E4786D", "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/3eq9Oo5XUhW.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/fngpW-FrVhd.css?_nc_x=Ij3Wp8lg5Kz" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cobalt strike", "Malware", "Qakbot", "Formbook", "Trojan:win32/qqpass", "Privateloader", "Trojan:win32/antavmu.d", "Win32:malwarex-gen\\ [trj]", "#lowfi:hstr:msil/possibledownloader.s01", "Trojan:win32/zombie.a", "Trojan:win32/dorv.b!rfn", "Blacknet rat", "Amadey", "Qbot", "Pws:msil/dcstl.gd!mtb", "Worm:win32/mofksys.rnd!mtb" ], "industries": [ "Government", "Technology", "Civil society" ], "unique_indicators": 16396 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/location.search", "whois": "http://whois.domaintools.com/location.search", "domain": "location.search", "hostname": "w.location.search" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "757 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e576d419524d75af35a36e", "name": "FormBook", "description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:23:00.177000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e57f32581a900dfb272d05", "name": "FormBook | 172.31.13.249", "description": "", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:58:42.074000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": "65e576d419524d75af35a36e", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ca2c15ef8b75bd6e216604", "name": "Does this help?", "description": "A guide to the key words and phrases used to describe a Facebook user's identity, as well as the language they use to express their desire to use the social networking site, and the answers to some of them.", "modified": "2024-03-13T14:03:24.834000", "created": "2024-02-12T14:32:53.743000", "tags": [ "your request", "email", "password forgot", "sign up", "return home", "english", "espaol franais", "france", "portugus", "brasil", "meta", "helvetica", "input", "neue", "arial", "neue medium", "neue light", "f7f8fa", "e4e6eb", "span", "fbpkgdelim", "https", "intlsavelocale", "help", "lite", "marketplace", "fundraisers", "careers", "facebook search", "clear", "facebook", "date", "null", "image", "math", "avozjyab7ng", "typesearch", "article", "sans", "helvetica neue", "sansseriflight", "symbol", "iterator", "fblogger", "typeerror", "sitedata", "errorguard", "timeslice", "typeof", "arbiter", "error", "blank", "phase", "firefox", "phone", "iemobile", "create", "connect", "forgot password", "page", "website", "cookie", "banzai", "falcoutils", "random", "cookiecore", "persistedqueue", "clock", "mcss", "mevent", "number", "urlsearchparams", "internalenum", "banzailogger", "97hz", "messagereceived", "mdom", "stratcom", "mviewport", "mhistory", "mpagecache", "muri", "scriptpath", "mvector", "keys", "kaioscontroller", "webstorage", "portaltv", "timesliceimpl", "serverjs", "mrun", "murigo", "promiseimpl", "mdatastore", "mdtsg", "mdtsgasync", "4328", "5540", "bigpipe", "5954", "6972", "usidmetadata", "ps8qy011yx6dcb", "5888", "3904", "4806", "6687", "eventconfig", "default5000", "zekacv", "fbtlogging", "dvatkzf", "banzaibase", "mgetfbtresult", "mfbjson", "meventlistener", "u0001", "i9zo81o", "5943", "addressbar", "banzaiadapter", "intlvariations", "uint8array", "websession", "boolean", "void", "shutdown", "mpagecontroller", "mstopngo", "javelinhistory", "mhome", "errorutils" ], "references": [ "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css", "https://static.xx.fbcdn.net/rsrc.php/v3/yw/l/0,cross/CXjTiRbc_8T.css?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y7/l/0,cross/04QJzvjR9Wh.css?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/3eq9Oo5XUhW.js?_nc_x=Ij3Wp8lg5Kz", "https://m.facebook.com/", "https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/1pdBd6ULIhq.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3iLQG4/yB/l/en_US/ZrB35JaC5Ph.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3iLl54/yO/l/en_US/9t3PW1CRLNe.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ys/r/FtcggJWVWTF.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y3/r/U86edKxQdCC.js?_nc_x=Ij3Wp8lg5K", "https://static.xx.fbcdn.net/rsrc.php/v3/yO/r/FMIZEwefrSt.js?_nc_x=Ij3Wp8lg5Kz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tyfdyT-3xafve-momsos", "id": "228887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 94, "domain": 28, "hostname": 55, "FileHash-SHA1": 1, "FileHash-MD5": 1, "FileHash-SHA256": 2 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ca380d2d92d403572c6ba5", "name": "Ummm yeah.", "description": "E-mail: e-bryderon-e-satellite-to-be, \u00c2\u00a31.5m, to be used as a link to the International Space Station.", "modified": "2024-03-13T14:03:24.834000", "created": "2024-02-12T15:23:57.994000", "tags": [ "timesliceimpl", "serverjs", "mrun", "murigo", "promiseimpl", "mdatastore", "mdtsg", "mdtsgasync", "avqvwtpup1i", "timeslice", "4328", "5540", "zekacv", "fbtlogging", "mfbjson", "banzaibase", "mgetfbtresult", "meventlistener", "u0001", "v3ugoou", "nskv1me", "5943", "addressbar", "mcss", "mevent", "3904", "6687", "eventconfig", "default5000", "min100", "1726", "gmt connection", "status code", "bad request", "http response", "date", "null", "image", "math", "avozjyabfg0", "moved", "found", "gmt altsvc", "avozjyabbdg", "symbol", "facebook", "the software", "facebook pixel", "error", "pixel code", "copyright", "apis", "policy", "http", "scriptpath", "banzai", "clickrefutils", "arbiter", "persistedqueue", "void", "sessionname", "event", "websession", "cookie", "xcontroller", "bool", "ignoredynamic", "cssimg", "herotracinghold", "ignore", "loadingstate", "mediavcimage", "graphik lcg", "graphik arabic", "web regular", "helvetica neue", "helvetica", "arial", "lucida grande", "sansserif", "fbpkgdelim", "runblue", "asyncrequest", "runwww", "fbjson", "dtsg", "dtsgasync", "2915", "pageview", "init", "675141479195042", "574561515946252", "z m82", "post", "edit", "edited", "view" ], "references": [ "https://connect.facebook.net/signals/config/1916681798651990?v=2.9.145&r=stable&domain=developers.facebook.com&hme=20c913bdcd4be51a752120153aa5caaecb3ee86c7f26cf737846e40b202aba68&ex_m=62%2C106%2C94%2C98%2C53%2C3%2C88%2C61%2C14%2C86%2C79%2C44%2C46%2C150%2C153%2C164%2C160%2C161%2C163%2C25%2C89%2C45%2C68%2C162%2C145%2C148%2C157%2C158%2C165%2C115%2C13%2C43%2C169%2C168%2C117%2C16%2C29%2C32%2C1%2C36%2C57%2C58%2C59%2C63%2C83%2C15%2C12%2C85%2C82%2C81%2C95%2C97%2C31%2C96%2C26%2C22%2C146%2C149%2C124%2C24%2C9%2C10%2C", "https://static.xx.fbcdn.net/rsrc.php/v3ihVQ4/y0/l/en_US/vPxpLcwHX7V.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/yq/r/zrtbGCoE-kJ.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/y9/r/fRsOvQa49Br.js?_nc_x=Ij3Wp8lg5Kz", "https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/fngpW-FrVhd.css?_nc_x=Ij3Wp8lg", "https://www.facebook.com/tr?id=675141479195042&ev=PageView&noscript=1", "https://scontent.fyvr2-1.fna.fbcdn.net/v/t39.2365-6/294896942_578136803798152_4396611467422003184_n.svg?_nc_cat=103&ccb=1-7&_nc_sid=e280be&_nc_ohc=l4z2NxVw9_sAX-QewmZ&_nc_ht=scontent.fyvr2-1.fna&oh=00_AfBu307FrljF61Vlh4c5Eae47KPEcNtpMh1M898a_io5vA&oe=65E4786D", "https://static.xx.fbcdn.net/rsrc.php/y-/r/hmcZxtXAtYh.svg", "https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/fngpW-FrVhd.css?_nc_x=Ij3Wp8lg5Kz", "https://static.cdninstagram.com/rsrc.php/v3iWID4/yC/l/en_US/43Mqev6Q9CU.js?_nc_x=Ij3Wp8lg5Kz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tyfdyT-3xafve-momsos", "id": "228887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "hostname": 70, "FileHash-MD5": 1, "URL": 161 }, "indicator_count": 250, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c994c8b145925072b6583a", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov", "description": "Link found active in https://house.mo.gov. \nhttps://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1 |", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-12T03:47:20.138000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab679e6ff8544ecf11962", "name": "Private Loader cyber threat - Sliq.net | https://house.mo.gov ", "description": "", "modified": "2024-03-13T03:00:40.889000", "created": "2024-02-13T00:23:21.062000", "tags": [ "ssl certificate", "threat roundup", "referrer", "historical ssl", "remcos rat", "august", "iocs", "contacted", "qakbot", "june", "service", "privateloader", "amadey", "blacknet rat", "qbot", "cobalt strike", "push", "core", "malformed domains", "sliq", "typosquatting", "malware", "network", "dns", "spyware", "access", "remote", "cyber threat", "virus network", "command and control", "remote connections", "exploits", "injection", "legislature", "trojan", "scanning host", "threat analyzer", "threat", "paste", "urls https", "locationchamber", "viewmode3", "hostnames", "url https", "false layer", "http" ], "references": [ "https://sg001-harmony.sliq.net/00325/harmony/en/PowerBrowser/RoomRouter?location=chamber&viewMode=3&globalStreamId=1", "https://www.facebooksunglassshop.com [pegasus related]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Technology", "Civil Society" ], "TLP": "white", "cloned_from": "65c994c8b145925072b6583a", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 36, "FileHash-SHA256": 1384, "CVE": 5, "URL": 1865, "domain": 222, "hostname": 648 }, "indicator_count": 4216, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://w.location.search/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://w.location.search/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780471860.1088283 }