{ "type": "URL", "indicator": "https://web.imoneso.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://web.imoneso.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3818145857, "indicator": "https://web.imoneso.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 25, "pulses": [ { "id": "66cd0d8da99ad679a1e5049b", "name": "VirusTotal Cl0p Ransomware Attack", "description": "Virustotal Ransomware attack when attempting to evaluate malicious link : http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States®ion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Residual Cl0p Ransomware attack seen. \n\nAll Tags , Malware Families and Mitre ATT&CK results: Auto-populated.", "modified": "2024-09-25T22:04:23.320000", "created": "2024-08-26T23:19:41.093000", "tags": [ "please", "javascript", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "suricata ipv4", "united", "date", "suricata udpv4", "meta", "general", "twitter", "click", "strings", "virustotal", "body", "contact", "heur", "cisco umbrella", "malware", "site", "safe site", "suspected", "malware site", "filerepmetagen", "malicious site", "alexa top", "iframe", "wacatac", "downldr", "crack", "filetour", "cleaner", "exploit", "presenoker", "agent", "conduit", "riskware", "acint", "behav", "genkryptik", "phishing", "azorult", "cobalt strike", "runescape", "facebook", "bank", "download", "xrat", "installcore", "patcher", "adload", "cl0p", "trojanspy", "webtoolbar", "detection list", "blacklist", "mail spammer", "phishing site", "ip address", "malicious url", "ascii text", "et tor", "known tor", "misc attack", "pattern match", "relayrouter", "exit", "node traffic", "local", "core", "no data", "analyzer threat", "ip summary", "summary", "spammer", "node tcp", "traffic", "tor known", "ssh attacker", "attacker", "hostile host", "threats et", "cl0p ransomware", "analyzer paste", "iocs", "entity" ], "references": [ "https://www.virustotal.com/graph/http%3A%2F%2Fbbd383ttka22.top%2Fprize%2Fluckyus-ad%2Fnigh.php%3Fc%3D69zejibbz5fz1%26k%3D987ad34e7843dd8f3a3cb6559f188769%26country_code%3DUS%26country_name%3DUnited%2520States%26region%3DNew%2520York%26city%3DPlainview%26isp%3DMCI%2520Communications%2520Services%2C%2520Inc.%2520d%2Fb%2Fa%2520Verizon%2520Business%26lang%3Dja%26ref_domain%3D%26os%3DiOS%26osv%3D16%26browser%3DChrome%26browserv%3D115%26brand%3DApple%26model%3DiPhone%26marketing_name%3DiPhone%26tablet%3D2%26rheig", "bundled.toolbar.google | http://bundled.toolbar.google/http:/toolbar.google.| toolbar.google | https://bundled.toolbar.google/", "https://bundled.toolbar.google | http://toolbar.google.| http://bundled.toolbar.google/ | http://bundled.toolbar.google", "cryptpad.effi.org | cryptpad-sandbox.effi.org | www2.effi.org | tor.effi.org | tor-ou.effi.org", "www2.effi.org\t | tor.effi.org | tor-ou.effi.org", "op.lunistra.com | api.demand-iq.com", "Ransomware Report: https://www.hybrid-analysis.com/sample/c58e07f62f576d36567d74ca25bdff8374231e7985ff05a10bffbc5cb4296904/66ccf708c605284e0a0aea74" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "hostname": 132, "FileHash-SHA256": 278, "FileHash-MD5": 138, "FileHash-SHA1": 65, "SSLCertFingerprint": 8, "URL": 269, "CVE": 8 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "570 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692cf0e2273bb06aa43e43c", "name": "Banker: Through The Nights - YouTube | Errors |", "description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.", "modified": "2024-08-12T18:02:56.458000", "created": "2024-07-13T19:01:34.484000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "low risk", "domain", "no malware", "found", "site", "ip address", "google network", "unknown", "low security", "risk", "hacked", "protect", "path", "secure", "httponly", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "samesitenone", "http response", "final url", "status code", "body length", "kb body", "pragma", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "jess", "tsara brashears", "zafira songs", "youtube og", "hope", "html info", "meta tags", "data", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "key algorithm", "name", "whois lookup", "create date", "expiry date", "query time", "update date", "update", "passive dns", "gmt content", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "urls", "files", "related pulses", "error", "code", "algorithm", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 343, "SSLCertFingerprint": 8, "URL": 333, "domain": 69, "hostname": 165 }, "indicator_count": 924, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cdfd20f6237e3892c0", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:25.910000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603369ad0e38e313883c4fa", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:56:58.037000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 4468, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 186946, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e3d1a94659d50264a78fd4", "name": "Phishing | TabExplorer attacks compromised networks and devices", "description": "", "modified": "2024-04-02T01:01:20.068000", "created": "2024-03-03T01:26:01.043000", "tags": [ "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "suricata udpv4", "date", "united", "windows nt", "win64", "hybrid", "general", "click", "strings", "contact", "url http", "url https", "scan endpoints", "all octoseek", "report spam", "hour ago", "whois record", "glasgow", "scan", "iocs", "next", "filehashsha256", "filehashmd5", "filehashsha1", "ipv4", "contacted", "execution", "pe resource", "communicating", "urls http", "referrer", "resolutions", "whois whois", "collections ip", "phishing", "attack", "loaded module", "remote procedure call", "search", "as15133 verizon", "passive dns", "urls", "creation date", "record value", "showing", "unknown", "as8075", "as15169 google", "as8068", "aaaa", "cname", "a domains", "meta", "entries", "gmt server", "ecacc saa83dd", "cobalt strike", "mozilla", "body", "brian sabey", "hallrender", "dynamicloader", "show", "alerts", "trojan", "copy", "dynamic", "medium", "reads", "write", "stealth network", "stealth_network", "script urls", "certificate", "rsa sha256", "exports data", "high", "yara rule", "yara detections", "njrat", "cape", "njrat malware", "sniffs", "guard", "write c", "delete c", "ms windows", "default", "intel", "openpgp public", "stream", "antivm_generic_disk", "antivm_generic_bios", "network_bind", "stealth_file spawns_dev_utility", "procmem_yara", "enumerates_physical_drives", "persistence_ads", "dynamic_function_loading", "reads_self", "suspicious_command_tools", "network", "rat" ], "references": [ "http://www.tabxexplorer.com [phishing]", "http://www.tabxexplorer.com/lenovo", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "identity_helper.exe", "cdn.easykeys.com", "hive21.ctcsoftware.com", "www.moxa.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Tulach Malware: 114.114.114.114", "ns3.hallgrandsale.ru", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Yara Detection: Nullsoft_NSIS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "HackTool:Win32/Atosev.A", "display_name": "HackTool:Win32/Atosev.A", "target": "/malware/HackTool:Win32/Atosev.A" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Win.Malware.Generickdz-9938530-0", "display_name": "Win.Malware.Generickdz-9938530-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5551, "hostname": 1690, "domain": 929, "FileHash-SHA256": 2696, "FileHash-MD5": 405, "FileHash-SHA1": 315, "email": 4, "SSLCertFingerprint": 1 }, "indicator_count": 11591, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d8c371cc0957afd9195ae0", "name": ":MalwareX-gen\\ [Trj]", "description": "", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T16:10:26", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "65d85bc3164cd519bc4a282d", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d85bc3164cd519bc4a282d", "name": "Win32:RansomX-gen\\ [Ransom] \u2022 Win32:MalwareX-gen\\ [Trj]", "description": "https://otx.alienvault.com/indicator/ doesn't finish loading. Unable to analyze detections.\nnetwork_icmp\nallocates_rwx\npacker_entropy\nhas_pdb\npe_unknown_resource_name\nsysinternals_tools_usage\nallocates_rwx\nsuspicious_process", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T08:48:03.696000", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c942169a345feccec332cd", "name": "Miscellaneous Attack - https://house.mo.gov/", "description": "Researchers at the University of Missouri in Missouri have published their results on a new web server called \"revisor.com\" (revisors.mo.gov) for the next three years..", "modified": "2024-03-12T21:02:15.675000", "created": "2024-02-11T21:54:30.139000", "tags": [ "threat analyzer", "threat", "paste", "iocs", "urls https", "showcctrue", "locationchamber", "viewmode3", "analyze", "hostname", "samples", "url https", "span", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "input", "iframe", "body", "form", "error", "night", "bill", "february", "hybrid", "general", "local", "click", "strings", "footer", "no data", "tag count", "count blacklist", "tag tag", "heim", "a domains", "as393601 state", "united", "link", "object", "title", "statutes", "passive dns", "urls", "cname", "meta", "date", "encrypt", "aaaa", "as8987 amazon", "nxdomain", "whitelisted", "a nxdomain", "scan endpoints", "next", "all octoseek", "ipv4", "trojan", "verdana", "x content", "x xss", "sameorigin x", "pulse submit", "unknown", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "as397241", "name servers", "center oak", "city sterling", "code us", "name security", "phone number", "postal code", "pulse pulses", "files", "representative rex", "threat report", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "session", "session floor", "hearings", "sunday", "missouri", "filter view", "new recordings", "no filter", "session jcr", "hearing house", "live", "label", "core", "script urls", "r3 dv", "tls ca" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 81, "FileHash-SHA256": 263, "URL": 704, "domain": 368, "hostname": 467, "email": 1 }, "indicator_count": 2014, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b6b54d59d24b1522364fd6", "name": "AiCloud - Comcast Dnspionage", "description": "AiCloud, a cloud-based app that connects to Apple and Google, has been compromised by a malicious virus.", "modified": "2024-02-27T19:04:14.842000", "created": "2024-01-28T20:13:01.311000", "tags": [ "prefetch8", "command decode", "prefetch1", "suricata ipv4", "suricata udpv4", "mitre att", "united", "ck id", "show technique", "ck matrix", "date", "hybrid", "general", "click", "strings", "contact", "passive dns", "as7922 comcast", "x ua", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "meta", "status", "creation date", "search", "record value", "expiration date", "name servers", "next", "ai cloud", "cname", "as7018 att", "win32", "entries", "unknown", "body", "no redirect", "dynamicloader", "msie", "windows nt", "as16509", "medium", "default", "show", "copy", "powershell", "write", "pegasus", "apple mobile", "content", "nso group", "apple web", "apple app capable", "typosquatting", "spyware", "epoch" ], "references": [ "c-67-181-73-197.hsd1.ca.comcast.net", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 522, "URL": 1194, "domain": 440, "FileHash-SHA256": 1528, "CVE": 1, "email": 2, "FileHash-MD5": 297, "FileHash-SHA1": 297 }, "indicator_count": 4281, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b806e2724db65b47cf66e0", "name": "AiCloud - Comcast Dnspionage", "description": "", "modified": "2024-02-27T19:04:14.842000", "created": "2024-01-29T20:13:22.271000", "tags": [ "prefetch8", "command decode", "prefetch1", "suricata ipv4", "suricata udpv4", "mitre att", "united", "ck id", "show technique", "ck matrix", "date", "hybrid", "general", "click", "strings", "contact", "passive dns", "as7922 comcast", "x ua", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "meta", "status", "creation date", "search", "record value", "expiration date", "name servers", "next", "ai cloud", "cname", "as7018 att", "win32", "entries", "unknown", "body", "no redirect", "dynamicloader", "msie", "windows nt", "as16509", "medium", "default", "show", "copy", "powershell", "write", "pegasus", "apple mobile", "content", "nso group", "apple web", "apple app capable", "typosquatting", "spyware", "epoch" ], "references": [ "c-67-181-73-197.hsd1.ca.comcast.net", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "identity_helper.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": "65b6b54d59d24b1522364fd6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 522, "URL": 1194, "domain": 440, "FileHash-SHA256": 1528, "CVE": 1, "email": 2, "FileHash-MD5": 297, "FileHash-SHA1": 297 }, "indicator_count": 4281, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc13594cf21dbe00b94807", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-02-01T21:55:37.581000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "65b85faa9b8e3e1206d7f25c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e6e042a968005f7a5552", "name": "Content Reputation | ET | Botnet | Targeting", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-17T14:40:32.084000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659719b77c383c73c05208a9", "name": "Content Reputation | ET | Botnet | Targeting", "description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-04T20:48:55.431000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659560d63178b32f07838efb", "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|", "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.", "modified": "2024-02-02T12:04:41.638000", "created": "2024-01-03T13:27:50.685000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "unsafeeval", "path", "expiressat", "auto", "wheels online", "o tires", "shop tires", "html info", "title shop", "tires", "meta tags", "big o", "tires language", "name verdict", "falcon sandbox", "samples", "localappdata", "json data", "temp", "getprocaddress", "ascii text", "windir", "file", "indicator", "mitre att", "ck id", "factory", "hybrid", "model", "comspec", "ssl certificate", "whois record", "execution", "contacted", "historical ssl", "whois whois", "simda http", "collections", "historical", "dropped", "backdoor", "unknown", "united", "asnone", "show", "entries", "search", "intel", "ms windows", "pe32", "windows nt", "copy", "write", "logic", "download", "malware", "suspicious", "next", "destination", "port", "components", "globalnpf", "china as23724", "music", "data c", "mexico", "as15169 google", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "united kingdom", "explorer", "xserver", "mtb aug", "location united", "america asn", "open", "trojan", "worm", "dataadobereader", "as397240", "msie", "etpro trojan", "virgin islands", "script urls", "creation date", "record value", "date", "a domains", "all search", "otx octoseek", "url http", "http", "related nids", "pulse http", "url https", "files location", "as20940", "aaaa", "as2914 ntt", "canada unknown", "japan unknown", "as16625 akamai", "domain", "hostname", "gmt content", "gmt report", "0 report", "sea alt", "body", "encrypt", "social engineering", "revenge rat", "rat", "identity theft", "credit card", "referrer", "communicating", "bundled", "family", "roots", "lolkek", "tzw variants", "quasar rat", "dark power", "swisyn", "wiper", "ransomware", "cobalt strike", "attack", "core", "emotet", "exploit", "hacktool", "mail spammer", "as63949 linode", "mtb dec", "checkin m1", "trojanspy", "artro", "remote", "infostealer" ], "references": [ "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ukraine", "Georgia", "India", "Hong Kong", "Canada", "China", "Indonesia", "South Africa", "Germany", "Slovenia", "Mexico", "Netherlands", "Japan", "Spain", "Argentina", "France", "Chile", "Italy", "Aruba", "Switzerland", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Poland", "Colombia", "Taiwan", "Bulgaria", "Austria", "Russian Federation", "Australia", "Philippines", "Norway", "Sweden" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "#Lowfi:SCPT:KiraAsciiObfuscator", "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "Trojan:MSIL/ClipBanker.GB!MTB", "display_name": "Trojan:MSIL/ClipBanker.GB!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win.Packed.Zusy-7170176-0", "display_name": "Win.Packed.Zusy-7170176-0", "target": null }, { "id": "Win.Trojan.Zbot-9880005-0", "display_name": "Win.Trojan.Zbot-9880005-0", "target": null }, { "id": "'Win32:Trojan-gen", "display_name": "'Win32:Trojan-gen", "target": null }, { "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "target": null }, { "id": "Worm:Win32/Mofksys.B", "display_name": "Worm:Win32/Mofksys.B", "target": "/malware/Worm:Win32/Mofksys.B" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Worm:LOGO/Logic", "display_name": "Worm:LOGO/Logic", "target": "/malware/Worm:LOGO/Logic" }, { "id": "ETPro Trojan", "display_name": "ETPro Trojan", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Swisyn", "display_name": "TrojanSpy:Win32/Swisyn", "target": "/malware/TrojanSpy:Win32/Swisyn" }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 560, "FileHash-SHA1": 350, "FileHash-SHA256": 4371, "URL": 8165, "domain": 2548, "hostname": 2813, "CVE": 4, "email": 3 }, "indicator_count": 18814, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "807 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.tabxexplorer.com [phishing]", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Ryuk: kramtechnology.com", "https://api.wavebrowserbase.com", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "hive21.ctcsoftware.com", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "0-w5-cms.ultimate-guitar.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "bundled.toolbar.google | http://bundled.toolbar.google/http:/toolbar.google.| toolbar.google | https://bundled.toolbar.google/", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://alohatube.xyz/search/tsara-brashears", "https://tulach.cc/", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Tulach Malware: 114.114.114.114", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "newrelic.se", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "Ransomware Report: https://www.hybrid-analysis.com/sample/c58e07f62f576d36567d74ca25bdff8374231e7985ff05a10bffbc5cb4296904/66ccf708c605284e0a0aea74", "Botnet Server IP: 141.226.230.48", "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "cryptpad.effi.org | cryptpad-sandbox.effi.org | www2.effi.org | tor.effi.org | tor-ou.effi.org", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "https://www.myminiweb.com/", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "HOSTEDBYAPPLIEDI.NET - Enom", "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "identity_helper.exe", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "nr-data.net [Apple Private Data Collection]", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr", "Yara Detection: Nullsoft_NSIS", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "https://www.sweetheartvideo.com/tsara-brashears/", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Ryuk: http://kramtechnology.com/", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Ransom: message.htm.com", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "c-67-181-73-197.hsd1.ca.comcast.net", "cdn.easykeys.com", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "ns3.hallgrandsale.ru", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "https://bundled.toolbar.google | http://toolbar.google.| http://bundled.toolbar.google/ | http://bundled.toolbar.google", "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc", "www2.effi.org\t | tor.effi.org | tor-ou.effi.org", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "1.116.217.151 [Cobalt Strike]", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.virustotal.com/graph/http%3A%2F%2Fbbd383ttka22.top%2Fprize%2Fluckyus-ad%2Fnigh.php%3Fc%3D69zejibbz5fz1%26k%3D987ad34e7843dd8f3a3cb6559f188769%26country_code%3DUS%26country_name%3DUnited%2520States%26region%3DNew%2520York%26city%3DPlainview%26isp%3DMCI%2520Communications%2520Services%2C%2520Inc.%2520d%2Fb%2Fa%2520Verizon%2520Business%26lang%3Dja%26ref_domain%3D%26os%3DiOS%26osv%3D16%26browser%3DChrome%26browserv%3D115%26brand%3DApple%26model%3DiPhone%26marketing_name%3DiPhone%26tablet%3D2%26rheig", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "op.lunistra.com | api.demand-iq.com", "http://www.tabxexplorer.com/lenovo", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "dvd-game-new-releases.info", "www.moxa.com", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "vtbehaviour.commondatastorage.googleapis.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Out For Blood" ], "malware_families": [ "W32.aidetectmalware.cs", "Hacktool:win32/atosev.a", "Virus:win32/sality.at", "Alf:heraklezeval:trojanspy:win32/socstealer", "Pup/hacktool", "Alf:trojan:msil/agenttesla.km", "Ransom", "Pegasus", "Win32:renos-ky\\ [trj]", "Backdoor.xtreme", "Win.trojan.zbot-9880005-0", "Content reputation", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojandownloader:win32/cutwail.bs", "Unix.trojan.darknexus-7679166-0", "'win32:trojan-gen", "Pws:win32/vb.cu", "Worm:logo/logic", "Artro", "Trojan.crifi.1", "Backdoor:win32/likseput.b", "Hacktool:win32/cobaltstrike.a", "Elf:mirai-gh\\ [trj]", "Tel:trojandownloader:o97m/msiexecabuse", "Hacktool", "Mirai", "Trojanspy:win32/swisyn", "Worm:win32/mofksys.b", "Sabey", "Trojan:win32/comspec", "Ransomware", "Trojan:win32/scrarev.c", "Hallgrand", "Trojanspy", "Crypt3.blxp", "Win32:rmndrp [inf]", "Trojandownloader:win32/nemucod", "Pws:win32/qqpass.b!mtb", "Androidoverlaymalware - mob-s0012", "#lowfi:scpt:kiraasciiobfuscator", "Backdoor:win32/simda", "Webtoolbar", "Trojandownloader:win32/upatre", "Win.downloader.small-1645", "Worm:win32/benjamin", "Worm:win32/pykspa.c", "Etpro trojan", "Win.malware.generickdz-9938530-0", ", win.worm.pykspa-6057105-0", "Maltiverse", "Dark power", "Worm:win32/mofksys.rnd!mtb", "Wat:blacked-e", "Ai:fileinfector.eaeea7850c", "Virus:win32/floxif.h", "Cobalt strike", "Hallrender", "Cl0p", "Trojan:win32/zombie.a", "Lolkek", "Win.virus.pioneer-9111434-0", "Emotet", "Win.packed.zusy-7170176-0", "Trojan:msil/clipbanker.gb!mtb", "Alf:win32/gbdinf_305b1c9a.j!ibt", "Generic", "Tulach", "Quasar rat", "Trojan.msil.injurer.cbd", "Virus.ramnit/nimnul", "Et", "Trojandownloader:win32/cutwail", "Trojan:win32/speesipro.a" ], "industries": [ "Healthcare", "Civil society", "Media", "Technology", "Crime victims", "Telecommunications", "Private sector" ], "unique_indicators": 127902 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/imoneso.cn", "whois": "http://whois.domaintools.com/imoneso.cn", "domain": "imoneso.cn", "hostname": "web.imoneso.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 25, "pulses": [ { "id": "66cd0d8da99ad679a1e5049b", "name": "VirusTotal Cl0p Ransomware Attack", "description": "Virustotal Ransomware attack when attempting to evaluate malicious link : http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States®ion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Residual Cl0p Ransomware attack seen. \n\nAll Tags , Malware Families and Mitre ATT&CK results: Auto-populated.", "modified": "2024-09-25T22:04:23.320000", "created": "2024-08-26T23:19:41.093000", "tags": [ "please", "javascript", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "suricata ipv4", "united", "date", "suricata udpv4", "meta", "general", "twitter", "click", "strings", "virustotal", "body", "contact", "heur", "cisco umbrella", "malware", "site", "safe site", "suspected", "malware site", "filerepmetagen", "malicious site", "alexa top", "iframe", "wacatac", "downldr", "crack", "filetour", "cleaner", "exploit", "presenoker", "agent", "conduit", "riskware", "acint", "behav", "genkryptik", "phishing", "azorult", "cobalt strike", "runescape", "facebook", "bank", "download", "xrat", "installcore", "patcher", "adload", "cl0p", "trojanspy", "webtoolbar", "detection list", "blacklist", "mail spammer", "phishing site", "ip address", "malicious url", "ascii text", "et tor", "known tor", "misc attack", "pattern match", "relayrouter", "exit", "node traffic", "local", "core", "no data", "analyzer threat", "ip summary", "summary", "spammer", "node tcp", "traffic", "tor known", "ssh attacker", "attacker", "hostile host", "threats et", "cl0p ransomware", "analyzer paste", "iocs", "entity" ], "references": [ "https://www.virustotal.com/graph/http%3A%2F%2Fbbd383ttka22.top%2Fprize%2Fluckyus-ad%2Fnigh.php%3Fc%3D69zejibbz5fz1%26k%3D987ad34e7843dd8f3a3cb6559f188769%26country_code%3DUS%26country_name%3DUnited%2520States%26region%3DNew%2520York%26city%3DPlainview%26isp%3DMCI%2520Communications%2520Services%2C%2520Inc.%2520d%2Fb%2Fa%2520Verizon%2520Business%26lang%3Dja%26ref_domain%3D%26os%3DiOS%26osv%3D16%26browser%3DChrome%26browserv%3D115%26brand%3DApple%26model%3DiPhone%26marketing_name%3DiPhone%26tablet%3D2%26rheig", "bundled.toolbar.google | http://bundled.toolbar.google/http:/toolbar.google.| toolbar.google | https://bundled.toolbar.google/", "https://bundled.toolbar.google | http://toolbar.google.| http://bundled.toolbar.google/ | http://bundled.toolbar.google", "cryptpad.effi.org | cryptpad-sandbox.effi.org | www2.effi.org | tor.effi.org | tor-ou.effi.org", "www2.effi.org\t | tor.effi.org | tor-ou.effi.org", "op.lunistra.com | api.demand-iq.com", "Ransomware Report: https://www.hybrid-analysis.com/sample/c58e07f62f576d36567d74ca25bdff8374231e7985ff05a10bffbc5cb4296904/66ccf708c605284e0a0aea74" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "hostname": 132, "FileHash-SHA256": 278, "FileHash-MD5": 138, "FileHash-SHA1": 65, "SSLCertFingerprint": 8, "URL": 269, "CVE": 8 }, "indicator_count": 953, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "570 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6694bb9be1b61bf820500004", "name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet", "description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.", "modified": "2024-08-14T05:03:59.815000", "created": "2024-07-15T06:03:07.423000", "tags": [ "historical ssl", "referrer", "december", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "highly targeted", "cyber attack", "emotet", "critical", "copy", "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "pragma", "form", "hope", "karma", "learn", "suspicious", "flag", "pe resource", "synaptics", "apeaksoft ios", "hiddentear", "urls", "domains", "contacted", "markmonitor", "win32 exe", "parents", "type name", "msrsaapp", "youtube bot", "rar jays", "mozilla firefox", "twitch", "samplename", "rar youtube", "zip youtube", "social bots", "files", "file type", "kb file", "b file", "graph", "get https", "msie", "windows nt", "win64", "slcc2", "media center", "request", "gmt server", "referer https", "amd64 accept", "accept", "code", "rwx memory", "managed code", "calls unmanaged", "native", "often seen", "base64 encrypt", "trojan", "tsara brashears", "red team hacking", "process32nextw", "regsetvalueexa", "regdword", "high", "medium", "objects", "regbinary", "module load", "t1129", "t1060", "crash", "dock", "persistence", "execution", "okhfjrtblzo", "ip check", "windows", "http host", "controlservice", "domain", "registry", "tools", "service", "worm", "malware", "win32", "bits", "read c", "intel", "ms windows", "pe32", "search", "type read", "show", "wow64", "stop", "write", "unknown", "waiting", "push", "next", "asnone united", "aaaa", "united kingdom", "as20738 host", "moved", "passive dns", "default", "delete c", "pe32 executable", "document file", "v2 document", "floodfix", "floxif", "name servers", "susp", "showing", "as55286", "scan endpoints", "all scoreblue", "ransom", "amadey", "songculture", "spreader", "tracey richter", "roberts", "michael roberts", "jays", "sabey", "rexxfield", "darklivity" ], "references": [ "https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe", "https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details", "Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042", "Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze", "https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://freedns.afraid.org/subdomain/edit.php?data_id=21091713", "Ransom: message.htm.com", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception", "Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata", "Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create", "Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan", "https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd", "Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf", "https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1", "FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1", "Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H", "IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |", "Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates", "Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction", "Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser", "Alerts: stealth_windowcreates_exe suspicious_process exe_appdata", "http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]", "https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg", "https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]", "Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)", "https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor.Xtreme", "display_name": "Backdoor.Xtreme", "target": null }, { "id": "W32.AIDetectMalware.CS", "display_name": "W32.AIDetectMalware.CS", "target": null }, { "id": "Win.Virus.Pioneer-9111434-0", "display_name": "Win.Virus.Pioneer-9111434-0", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": ", Win.Worm.Pykspa-6057105-0", "display_name": ", Win.Worm.Pykspa-6057105-0", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "PUP/Hacktool", "display_name": "PUP/Hacktool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 439, "FileHash-SHA1": 386, "FileHash-SHA256": 2320, "URL": 1873, "domain": 478, "hostname": 839, "SSLCertFingerprint": 9, "email": 7 }, "indicator_count": 6351, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692cf0e2273bb06aa43e43c", "name": "Banker: Through The Nights - YouTube | Errors |", "description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.", "modified": "2024-08-12T18:02:56.458000", "created": "2024-07-13T19:01:34.484000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "low risk", "domain", "no malware", "found", "site", "ip address", "google network", "unknown", "low security", "risk", "hacked", "protect", "path", "secure", "httponly", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "samesitenone", "http response", "final url", "status code", "body length", "kb body", "pragma", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "jess", "tsara brashears", "zafira songs", "youtube og", "hope", "html info", "meta tags", "data", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "key algorithm", "name", "whois lookup", "create date", "expiry date", "query time", "update date", "update", "passive dns", "gmt content", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "urls", "files", "related pulses", "error", "code", "algorithm", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 343, "SSLCertFingerprint": 8, "URL": 333, "domain": 69, "hostname": 165 }, "indicator_count": 924, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cdfd20f6237e3892c0", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:25.910000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://web.imoneso.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://web.imoneso.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630836.9773035 }