{ "type": "URL", "indicator": "https://webapi1.biofrontera.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://webapi1.biofrontera.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3870652236, "indicator": "https://webapi1.biofrontera.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddeb45c45f6a3cd721397d", "name": "Active attacks \u2022 Apple \u2022 Tulach", "description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious", "modified": "2026-04-14T07:22:45.250000", "created": "2026-04-14T07:22:45.250000", "tags": [ "url http", "ipv4", "indicator role", "active related", "united", "moved", "gmt content", "certificate", "all domain", "msie", "chrome", "extraction", "data upload", "twitter", "cookie", "extra", "include data", "review locs", "exclude", "suggested os", "onlv", "failed", "stop data", "read c", "unicode", "rgba", "memcommit", "delete", "dock", "write", "execution", "sc type", "extri", "include review", "exclude sugges", "typ data", "a domains", "present apr", "script urls", "files", "files ip", "address", "ios", "mac", "apple", "appleid", "itunes", "next associated", "all ipv4", "included ic", "uny teade", "type hostnar", "hostnar hostnar", "hostnar", "macair", "macairaustralia", "ipad", "ipod", "cryptexportkey", "invalid pointer", "cryptgenkey", "stream", "defender", "delphi", "class", "stack", "format", "unknown", "united states", "phishing", "password", "traffic redirected", "service mod", "service execution", "youtube", "music", "streams", "songs", "played songs", "music streams", "most played", "fonelab", "indicator", "included iocs", "manually add", "review ocs", "exclude inn", "sugges data", "find", "include", "url https", "enter sc", "type", "no matchme", "search otx", "https", "references x", "analyze", "open th", "url data", "se http", "no match", "excluded iocs", "iocs", "ip whitelisted", "whitelisted", "tcp include", "analysis date", "file score", "medium risk", "yara detections", "contacted", "related tags", "x vercel", "file type", "type indicator", "role title", "related pulses", "mulch virtua", "library loade", "included i0", "review ioc", "excluded ic", "suggested", "find sugt", "samuel tulach", "unity engine", "tulach", "sa awareness", "sabey", "sar cut", "autofill", "includer review", "portiana oney", "targeting", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "musickit_1_.js", "lazarus", "injection", "CVE-2017-8570", "prefetch2", "target", "aaaa", "ip address", "record value", "emails", "samuel tuachs", "sapev", "review exclude", "monitored target", "script", "mitre att", "ascii text", "span", "path", "iframe", "april", "hybrid", "general", "local", "click", "strings", "body", "development att", "t1055.012 list planting", "active" ], "references": [ "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://podcasts.apple.com/us/podcast/lazarus", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://help.aiseesoft.jp/blu-ray-player", "http://help.aiseesoft.jp/fonelab/", "https://action.aiseesoft.jp/itunes.php", "http://help.aiseesoft.jp/total-video-converter", "http://help.aiseesoft.jp/total-video-converter/", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "http://test-firstmile.digitecgalaxus.ch", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "1.bing.com.cn", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "www.phantomcameras.cn", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "podcasts.apple.com \u2022 23.34.32.21", "www.apple.com \u2022 23.34.32.199", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://firstmile.digitecgalaxus.ch", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Tulach.cc", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "asp.net domain pointer", "developer.x.com", "aotx.alienvault.com (aotx.?)", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1020.001", "name": "Traffic Duplication", "display_name": "T1020.001 - Traffic Duplication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1029, "domain": 396, "email": 7, "URL": 2784, "FileHash-SHA256": 898, "FileHash-MD5": 79, "FileHash-SHA1": 68, "IPv4": 35, "CVE": 1, "SSLCertFingerprint": 13 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "677e2740a2bd7272dfeaf4f2", "name": "http://185.145.131.197:9/mk/sb.jpg", "description": "The full text of the full transcript of this year's BBC Radio 4 World News Programme: 1:00 BST on Thursday, 1 December 2016, on the BBC iPlayer, and here are the key points", "modified": "2025-02-07T07:01:04.589000", "created": "2025-01-08T07:20:32.572000", "tags": [ "danie", "get i1a6", "okrndata", "http inetsim", "cieka", "sport", "pe32", "intel", "skrt", "hash", "prbka plik", "msdos", "ms windows", "crlf", "plik", "tekst ascii", "z terminatorami" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 65, "FileHash-SHA256": 149, "URL": 126, "hostname": 56, "domain": 30 }, "indicator_count": 505, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "436 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665c84b687c5e16b95e8f8e", "name": "94.152.152.223 v65023.niebieski.net Cyber_Folks S.A. (vgt.pl)", "description": "SHA1 32223ade25c4a1d39cb8ac13042e8e6dfe3ca78f , SHA1 \n 99987c1ee1ddb7fd113abd65c836fbb71c3da4da\n Role: UPX , Ransomware , Trojan , Mirai , Buschido Mirai antywirusowe\nWin.Trojan.VBGeneric-6735875-0 , Robak:Win32/Mofksys.RND!MTB", "modified": "2024-12-31T01:53:43.222000", "created": "2024-06-09T15:20:43.178000", "tags": [ "expiration", "no expiration", "url http", "url https", "hostname", "domain", "ipv4", "filehashsha256", "fh no", "filehashmd5", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "pl o", "unizeto", "sa ou", "urzd", "certum cn" ], "references": [ "https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591", "https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71", "https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [ "Poland", "United States of America", "Germany", "Netherlands" ], "malware_families": [ { "id": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "display_name": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3205, "FileHash-SHA1": 2671, "FileHash-SHA256": 11469, "SSLCertFingerprint": 6, "URL": 5435, "domain": 1356, "email": 55, "hostname": 2205, "CVE": 13, "YARA": 4, "CIDR": 1, "IPv4": 25, "FileHash-IMPHASH": 1, "BitcoinAddress": 2, "IPv6": 13 }, "indicator_count": 26461, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6687495ad1e4ef814ec26c75", "name": "Remote Network Attack | JakyllHyde: Malicious Keyword Tool Index | Sabey Data Centers", "description": "Research shows compromise originated from Sabey Data Centers. High Priority 'Malicious' \nRemotely connects to victim network is injection,", "modified": "2024-09-05T06:26:17.295000", "created": "2024-07-05T01:16:10.251000", "tags": [ "read c", "get na", "sthubei", "otaokexing", "unknown", "write c", "outaokexing", "cntaokexing", "ms windows", "pe32", "win64", "write", "next", "win32", "malware", "copy", "keyword tool", "historical ssl", "referrer", "vs2010", "file", "sections", "signature", "file version", "windows system", "internal name", "version", "portable", "info compiler", "analyzer paste", "iocs", "url https", "samples", "cisco umbrella", "site", "safe site", "alexa top", "million", "heur", "malware site", "malicious site", "iframe", "alexa", "deepscan", "crack", "fusioncore", "cleaner", "riskware", "jakyllhyde", "china unknown", "asnone china", "cname", "as4812 china", "as4134 chinanet", "date", "moved", "search", "status", "body", "as4837 china", "bad request", "passive dns", "gmt content", "type", "scan endpoints", "all scoreblue", "twitter", "trojan", "urls", "machinename", "alibaba cloud", "computing", "beijing", "domains", "contacted", "ip detections", "country", "files", "file type", "signals mutexes", "local", "localc", "mutexes", "as31122 digiweb", "ireland unknown", "a domains", "gmt server", "pulse pulses", "pragma", "ipv4", "apache", "get http", "request", "host", "accept", "response", "date mon", "http requests", "connection", "server", "pluginrun", "ip traffic", "hashes", "user", "dns resolutions", "ff ff", "lowdatetime", "mofresourcename", "portclsmof", "hdaudiomofname", "processorwmi", "acpimofresource", "mofresource", "registry keys", "counter", "files written", "files dropped", "registry", "samplepath", "windir", "created c", "shell commands", "monitor", "arg0", "tree", "synchronization", "yara signature", "match", "thor apt", "scanner rule", "livehunt", "ruletype", "rule feed", "rulelink", "microsoft", "ruleauthor", "backdoor", "injection", "sabey data centers", "vbs", "remote attack", "extreme targeting", "116.207.118.87", "192.168.56.103", "linux", "locate linux deployed", "track", "tracking", "track all devices", "android", "apple", "apple webkit" ], "references": [ "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "#copyright #statements #malformed_copyright_statements", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "System process connects to network (likely due to code injection or exploit)", "Snort IDS alert for network traffic | Detected VMProtect packer", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "Trojan:Win32/JakyllHyde", "display_name": "Trojan:Win32/JakyllHyde", "target": "/malware/Trojan:Win32/JakyllHyde" }, { "id": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "display_name": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "target": null }, { "id": "W32/Witch.3FA0!tr", "display_name": "W32/Witch.3FA0!tr", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 682, "FileHash-SHA1": 327, "FileHash-SHA256": 2911, "SSLCertFingerprint": 4, "URL": 13039, "domain": 1038, "hostname": 2764, "email": 2, "CVE": 2 }, "indicator_count": 20769, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "711 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "asp.net domain pointer", "Yara Detections PEtite24", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "http://help.aiseesoft.jp/total-video-converter/", "System process connects to network (likely due to code injection or exploit)", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "#copyright #statements #malformed_copyright_statements", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "http://help.aiseesoft.jp/fonelab/", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "mailbox.co.za", "1.bing.com.cn", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://help.aiseesoft.jp/video-converter-ultimate/", "FormBook IP: 142.251.211.243", "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "Yara Detections: MS_Visual_Basic_6_0", "Tulach.cc", "podcasts.apple.com \u2022 23.34.32.21", "AVDetections: Patched3_c.AKRV", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "ASN AS27064 dod network information center", "fmx32.aig.com \u2022 167.230.105.81", "Snort IDS alert for network traffic | Detected VMProtect packer", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "http://firstmile.digitecgalaxus.ch", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "Virustotal - google.com.uy", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "checkip.dyndns.org [command and control]", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "nr-data.net [Apple Private Data Collection]", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "http://test-firstmile.digitecgalaxus.ch", "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://help.aiseesoft.jp/total-video-converter", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "http://help.aiseesoft.jp/blu-ray-player", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Email: d4@thinkman.com", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "144.76.108.82 [scanning host]", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "www.apple.com \u2022 23.34.32.199", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "aotx.alienvault.com (aotx.?)", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Yara Detections: Armadillov171", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "cdn.rss.applemarketingtools.com", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "Alerts: stealth_window packer_entropy uses_windows_utilities", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "https://action.aiseesoft.jp/itunes.php", "https://podcasts.apple.com/us/podcast/lazarus", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "https://pegasusm2.bullsbikesusa.com", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "www.phantomcameras.cn", "developer.x.com", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "TrojanDownloader:Win32/Nemucod" ], "malware_families": [ "Heur/unsec", "Trojan:win32/tiggre!rfn", "Win.trojan.rootkit-4668", "Serwer a przed\u0142u\u017cenie sesji #{text} wojcieszyce pl", "Trojan:win32/jakyllhyde", "Crypt3.bxmj", "W32/witch.3fa0!tr", "Trojandownloader:win32/upatre!rfn", "Win32:malware-gen", "Crypt3.chzw", "Trojan.downloader12.43161", "Tofsee", "Backdoor:win32/tofsee.t", "Trojandownloader:win32/umbald.a", "Crypt3.boqd\t\t inject2.bhbw", "Win32:agent-alxe\\ [rtk]", "Trojan:msil/trojandropper", "Inject2.bive", "Securiteinfo.com.trojan.generickd.32885218.16582.30886.dll", "Patched3_c.akrv", "Et trojan", "Crypt3.bmvu", "Win32:trojan-gen", "Win.trojan.tofsee-9770082-1", "Sf:agent-dq\\ [trj]", "Win32:dropperx-gen\\ [drp]", "Crypt3.bxvc", "Ransom:win32/stopcrypt.ak!mtb", "Installer" ], "industries": [ "Defense", "Government", "Insurance", "Military" ], "unique_indicators": 120392 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/biofrontera.com", "whois": "http://whois.domaintools.com/biofrontera.com", "domain": "biofrontera.com", "hostname": "webapi1.biofrontera.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddeb45c45f6a3cd721397d", "name": "Active attacks \u2022 Apple \u2022 Tulach", "description": "Including 360+ Apple\nIoC\u2019s from Malicious Tulac.cc + Virtual Servers Pulses. Ongoing history of malicious attacks, custom malware engineer, malicious media , account control. \n\nI was blocked from VirusToltal. It was Tulach Nextcloud posse. What I am doing now s legal. \n\nReferenced below. URL: \"https://accountapple.com/\" contacted related malicious domain: \"accountapple.com\"\nCONTACTED DOMAIN: \"sqllq.com\" has been identified as malicious", "modified": "2026-04-14T07:22:45.250000", "created": "2026-04-14T07:22:45.250000", "tags": [ "url http", "ipv4", "indicator role", "active related", "united", "moved", "gmt content", "certificate", "all domain", "msie", "chrome", "extraction", "data upload", "twitter", "cookie", "extra", "include data", "review locs", "exclude", "suggested os", "onlv", "failed", "stop data", "read c", "unicode", "rgba", "memcommit", "delete", "dock", "write", "execution", "sc type", "extri", "include review", "exclude sugges", "typ data", "a domains", "present apr", "script urls", "files", "files ip", "address", "ios", "mac", "apple", "appleid", "itunes", "next associated", "all ipv4", "included ic", "uny teade", "type hostnar", "hostnar hostnar", "hostnar", "macair", "macairaustralia", "ipad", "ipod", "cryptexportkey", "invalid pointer", "cryptgenkey", "stream", "defender", "delphi", "class", "stack", "format", "unknown", "united states", "phishing", "password", "traffic redirected", "service mod", "service execution", "youtube", "music", "streams", "songs", "played songs", "music streams", "most played", "fonelab", "indicator", "included iocs", "manually add", "review ocs", "exclude inn", "sugges data", "find", "include", "url https", "enter sc", "type", "no matchme", "search otx", "https", "references x", "analyze", "open th", "url data", "se http", "no match", "excluded iocs", "iocs", "ip whitelisted", "whitelisted", "tcp include", "analysis date", "file score", "medium risk", "yara detections", "contacted", "related tags", "x vercel", "file type", "type indicator", "role title", "related pulses", "mulch virtua", "library loade", "included i0", "review ioc", "excluded ic", "suggested", "find sugt", "samuel tulach", "unity engine", "tulach", "sa awareness", "sabey", "sar cut", "autofill", "includer review", "portiana oney", "targeting", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "musickit_1_.js", "lazarus", "injection", "CVE-2017-8570", "prefetch2", "target", "aaaa", "ip address", "record value", "emails", "samuel tuachs", "sapev", "review exclude", "monitored target", "script", "mitre att", "ascii text", "span", "path", "iframe", "april", "hybrid", "general", "local", "click", "strings", "body", "development att", "t1055.012 list planting", "active" ], "references": [ "https://trade.kraken.com/charts/KRAKEN:APT-USD>+y", "https://kraken.com/\\\\r\\\\nSet-Cookie:\t\u2022 https://www.kraken-okta.com/", "https://account.apple.com/accept-encoding \u2022 http://apple.santandercustomerusa.com/", "https://podcasts.apple.com/us/podcast/lazarus", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://help.aiseesoft.jp/blu-ray-player", "http://help.aiseesoft.jp/fonelab/", "https://action.aiseesoft.jp/itunes.php", "http://help.aiseesoft.jp/total-video-converter", "http://help.aiseesoft.jp/total-video-converter/", "http://help.aiseesoft.jp/video-converter-ultimate/", "http://mli.digitecgalaxus.ch http://test-id.digitecgalaxus.ch/", "http://sf.digitecgalaxus.ch http://static.digitecgalaxus.ch", "http://test-firstmile.digitecgalaxus.ch", "https://druryhotels.kiosoft.com/auth/reset_password/50032174/1/YjM2Y2UyY2VlNmVlOGI0NjZmNmFkZTNhYzBjNGVhNmVlZWQwODZjMDU0Yjg5YWZlZmRlM2RjMDUyNWYyZTRiMGRkNDM1ZjllZDNjYTA4YWJkMDhkMDQxNTEwNjY0YWQ2NTYwM2MzOWFhYTI5NTJiY2UzNzkyYWM2NWJkMzJlYmRCd2c5bjNicFBJRkhRS3dKU0JOREJEMXNjTTlOa0t1K0tlUkd2OEVKUUxUN0g1SlFzc1NoaUVKZ0NFM2YvekVIM29yTGZCTWJHaDBsOE9uL0phNHhwUT09/", "No matchine recorde f\u0627\u0648\u0635\u064a\u0647[?]", "cdn.rss.applemarketingtools.com", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "1.bing.com.cn", "www.akopde.dns-dynamic.net Hostname www.est.net.google.com.bing.com.yahoo.com.pubgmobile.dns-dynamic.net Hostname www.jhoexii.dns-dynamic.net", "www.phantomcameras.cn", "https://podcasts.apple.com/us/podcast/lazarus-rising-with-misha-collins-s4ep1/id1605385289?i=1000614835179\"", "podcasts.apple.com \u2022 23.34.32.21", "www.apple.com \u2022 23.34.32.199", "js-cdn.music.apple.com \u2022 23.78.51.170", "http://firstmile.digitecgalaxus.ch", "Tulach Virtual Servers https://otx.alienvault.com/pulse/69d9b0e549af1aae2975ebeb", "Library Loader \u2022 Tulach https://otx.alienvault.com/pulse/69d8a665177b8f64c7ce5fca", "Tulach.cc", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "www.youtube.com/watch?v=GyuMozsVyYs (targets song / channel be controlled by Tulach) \u2018song about SA awareness\u2019", "https://rss.applemarketingtools.com/api/v2/jp/music/most-played/100/songs.json", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290 cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop https://api.w.org/ \u2022 api.w.org remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-as", "Samuel Tulach\u2019s assets connected to M. Brian Sabey, Esq + malicious media + quasi government + State & DGA domains", "asp.net domain pointer", "developer.x.com", "aotx.alienvault.com (aotx.?)", "https://otx.alienvault.com/indicator/url/http://asp.net/ApplicationServices/v200/AuthenticationService/LogoutResponseh", "https://hybrid-analysis.com/sample/3257a36fae4c3bd3c47b1c37604ff3e30ff75fffd4c07bc52bcfe3ecb189371f" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1020.001", "name": "Traffic Duplication", "display_name": "T1020.001 - Traffic Duplication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591.002", "name": "Business Relationships", "display_name": "T1591.002 - Business Relationships" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1029, "domain": 396, "email": 7, "URL": 2784, "FileHash-SHA256": 898, "FileHash-MD5": 79, "FileHash-SHA1": 68, "IPv4": 35, "CVE": 1, "SSLCertFingerprint": 13 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "677e2740a2bd7272dfeaf4f2", "name": "http://185.145.131.197:9/mk/sb.jpg", "description": "The full text of the full transcript of this year's BBC Radio 4 World News Programme: 1:00 BST on Thursday, 1 December 2016, on the BBC iPlayer, and here are the key points", "modified": "2025-02-07T07:01:04.589000", "created": "2025-01-08T07:20:32.572000", "tags": [ "danie", "get i1a6", "okrndata", "http inetsim", "cieka", "sport", "pe32", "intel", "skrt", "hash", "prbka plik", "msdos", "ms windows", "crlf", "plik", "tekst ascii", "z terminatorami" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 65, "FileHash-SHA256": 149, "URL": 126, "hostname": 56, "domain": 30 }, "indicator_count": 505, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "436 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6665c84b687c5e16b95e8f8e", "name": "94.152.152.223 v65023.niebieski.net Cyber_Folks S.A. (vgt.pl)", "description": "SHA1 32223ade25c4a1d39cb8ac13042e8e6dfe3ca78f , SHA1 \n 99987c1ee1ddb7fd113abd65c836fbb71c3da4da\n Role: UPX , Ransomware , Trojan , Mirai , Buschido Mirai antywirusowe\nWin.Trojan.VBGeneric-6735875-0 , Robak:Win32/Mofksys.RND!MTB", "modified": "2024-12-31T01:53:43.222000", "created": "2024-06-09T15:20:43.178000", "tags": [ "expiration", "no expiration", "url http", "url https", "hostname", "domain", "ipv4", "filehashsha256", "fh no", "filehashmd5", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "pl o", "unizeto", "sa ou", "urzd", "certum cn" ], "references": [ "https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591", "https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71", "https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [ "Poland", "United States of America", "Germany", "Netherlands" ], "malware_families": [ { "id": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "display_name": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3205, "FileHash-SHA1": 2671, "FileHash-SHA256": 11469, "SSLCertFingerprint": 6, "URL": 5435, "domain": 1356, "email": 55, "hostname": 2205, "CVE": 13, "YARA": 4, "CIDR": 1, "IPv4": 25, "FileHash-IMPHASH": 1, "BitcoinAddress": 2, "IPv6": 13 }, "indicator_count": 26461, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6687495ad1e4ef814ec26c75", "name": "Remote Network Attack | JakyllHyde: Malicious Keyword Tool Index | Sabey Data Centers", "description": "Research shows compromise originated from Sabey Data Centers. High Priority 'Malicious' \nRemotely connects to victim network is injection,", "modified": "2024-09-05T06:26:17.295000", "created": "2024-07-05T01:16:10.251000", "tags": [ "read c", "get na", "sthubei", "otaokexing", "unknown", "write c", "outaokexing", "cntaokexing", "ms windows", "pe32", "win64", "write", "next", "win32", "malware", "copy", "keyword tool", "historical ssl", "referrer", "vs2010", "file", "sections", "signature", "file version", "windows system", "internal name", "version", "portable", "info compiler", "analyzer paste", "iocs", "url https", "samples", "cisco umbrella", "site", "safe site", "alexa top", "million", "heur", "malware site", "malicious site", "iframe", "alexa", "deepscan", "crack", "fusioncore", "cleaner", "riskware", "jakyllhyde", "china unknown", "asnone china", "cname", "as4812 china", "as4134 chinanet", "date", "moved", "search", "status", "body", "as4837 china", "bad request", "passive dns", "gmt content", "type", "scan endpoints", "all scoreblue", "twitter", "trojan", "urls", "machinename", "alibaba cloud", "computing", "beijing", "domains", "contacted", "ip detections", "country", "files", "file type", "signals mutexes", "local", "localc", "mutexes", "as31122 digiweb", "ireland unknown", "a domains", "gmt server", "pulse pulses", "pragma", "ipv4", "apache", "get http", "request", "host", "accept", "response", "date mon", "http requests", "connection", "server", "pluginrun", "ip traffic", "hashes", "user", "dns resolutions", "ff ff", "lowdatetime", "mofresourcename", "portclsmof", "hdaudiomofname", "processorwmi", "acpimofresource", "mofresource", "registry keys", "counter", "files written", "files dropped", "registry", "samplepath", "windir", "created c", "shell commands", "monitor", "arg0", "tree", "synchronization", "yara signature", "match", "thor apt", "scanner rule", "livehunt", "ruletype", "rule feed", "rulelink", "microsoft", "ruleauthor", "backdoor", "injection", "sabey data centers", "vbs", "remote attack", "extreme targeting", "116.207.118.87", "192.168.56.103", "linux", "locate linux deployed", "track", "tracking", "track all devices", "android", "apple", "apple webkit" ], "references": [ "Win32/JakyllHyde - RUNDLL32.EXE FileHash-SHA1 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17", "Found in a malicious keyword index: http://m.xiang5.com/keyword/17655.html&htE5-: Family", "IDS Detections: Win32/JakyllHyde C2 Activity Win32/JakyllHyde C2 Activity M2 PE EXE or DLL Windows file download HTTP", "Alerts: dead_host injection_runpe network_icmp allocates_execute_remote_process disables_proxy injection_modifies_memory modifies_proxy_wpad", "Alerts: origin_langid multiple_useragents process_interest recon_beacon injection_resumethread antivm_vmware_in_instruction dumped_buffer network_bind network_http allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Trojan:Win32/JakyllHyde: CnC IP's -183.95.89.203 116.211.100.182 Exploit Source: IPv4 116.207.118.87 163.171.134.109", "Trojan:Win32/JakyllHyde: FileHash-SHA256 01021c698664f7567b787d7bce266124ec0a226fb2e586125d109beb0ad0ba17 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 37a641988cfb33066c12b68b23bec0623e3d0715d21d6e3b7304bdd7238c8790 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 002d9916a54c7ea70c931dca29c0a4500020d8040b9e446a5472b9089c29c8bc - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 440165588e14516e1ef13b6240aad27a0e8c49744c8383590425b3cc9d7f23f1 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 47d9e427da3dfe5253d0047c40fb773db59dbccb0ff650e86ce7490b2c520c2d - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA256 7512f88162744b57efd14cc5fb98bc7cf5588fa25c218a1e92fe8048932450a8 -trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 0c795954123ebf1806cdafef2b66322f8d40d3ac - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f971b96cd514dc62a43b51f32e3a440fe3e0c6d4 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 732198087c6a88afa356ea729bd3b8bb16c41901 - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 f02ebf4d8955c363d615a53cc44b048d75b7cefb - adware", "Trojan:Win32/JakyllHyde: FileHash-SHA1 800c8a5f93b04d6c5dc491ab582cd75165918f5f - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 b45c02987811425c672f56e011f394f94cc29a7b - trojan", "Trojan:Win32/JakyllHyde: FileHash-SHA1 be97e5638139ee689312e23022d2e55e58d123c6 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 0dd69941b0f01d1ee4d49c228f832bed - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 2f237a35379a5fa46168e3a01667f32c - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 35fc2b92d534f652ffe4ec3cbc3347b6 - adware", "Trojan:Win32/JakyllHyde: FileHash-MD5: 4d4cd0582109e110967bce75534031ed -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: 8eeda8077a13f12aa72c8b7b5f457734 -trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: d6d906a1c4061d3f41053b4548c7ea69 - trojan", "Trojan:Win32/JakyllHyde: FileHash-MD5: fa7d0ef6c2c634e4f0e890c3d5b4cf4f - trojan", "YARA Signature Match - THOR APT Scanner: RULE_TYPE: Valhalla Rule Feed Only \u26a1", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "DESCRIPTION: Detects malformed Microsoft copyright statements in executables RULE_AUTHOR: Florian Roth", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/Malformed_Copyright_Statements RULE_AUTHOR: Florian Roth", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/ RULE_AUTHOR: Florian Roth", "#copyright #statements #malformed_copyright_statements", "ETPRO MALWARE Win32/JakyllHyde C2: https://www.joesandbox.com/analysis/754158/0/html", "Snort IDS: 2836073 ETPRO MALWARE Win32/JakyllHyde C2 Activity 192.168.2.3:49698 ->", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET MALWARE Win32/Eyoorun.D Variant Checkin - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ET TROJAN W32/Witch.3FA0!tr CnC Actiivty M2 - Source IP: 192.168.2.3 - Destination IP: 116.211.100.21", "ETPRO MALWARE Win32/JakyllHyde C2 Activity M2 - Source IP: 116.211.100.21 - Destination IP: 192.168.2.3", "System process connects to network (likely due to code injection or exploit)", "Snort IDS alert for network traffic | Detected VMProtect packer", "W32/Witch.3FA0!tr: FileHash-MD5 38be6c6b799140f435bc1b1d42275d7c", "W32/Witch.3FA0!tr: FileHash-SHA1 13ed578302cc1f302a8a9df9308859486aeb4d0b", "W32/Witch.3FA0!tr: 601928c4508162aed7491ea4995eca7361be6faeac3c06ee5fc5302e686e26448", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.cs", "http://tuijian.adhei.com/douyu/v1/encrypt/gamebox_m.css", "http://tuijian.adhei.com/douyu/v /encrypt/gamebox_m.css", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+U;+Android+4.3.1;+en-us;+GT-I8190+Build/JZO54K)+AppleWebKit/534.30+", "http://57d7.zhanyu66.com/air.thinlinuxforandroid.apk", "http://sdk.1rtb.com/sdk/req_ad?app_package=com.scpp.plus&device_type=1&device_adid=92841014150fc3fd&device_geo_lat=&app_name=%E8%B", "http://ssp.1rtb.com/tracker?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)", "https://simulator-api.666phonemanager.com/advert/gamebox_winpop/online", "http://ssp.1rtb.com/imp?ua=Mozilla/5.0+(Linux;+Android+7.1.2;+SM-T555+Build/NMF26X;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "Trojan:Win32/JakyllHyde", "display_name": "Trojan:Win32/JakyllHyde", "target": "/malware/Trojan:Win32/JakyllHyde" }, { "id": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "display_name": "SecuriteInfo.com.Trojan.GenericKD.32885218.16582.30886.dll", "target": null }, { "id": "W32/Witch.3FA0!tr", "display_name": "W32/Witch.3FA0!tr", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1037.001", "name": "Logon Script (Windows)", "display_name": "T1037.001 - Logon Script (Windows)" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 682, "FileHash-SHA1": 327, "FileHash-SHA256": 2911, "SSLCertFingerprint": 4, "URL": 13039, "domain": 1038, "hostname": 2764, "email": 2, "CVE": 2 }, "indicator_count": 20769, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "711 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://webapi1.biofrontera.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://webapi1.biofrontera.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776631438.976015 }