{ "type": "URL", "indicator": "https://webstore.name", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://webstore.name", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3855300757, "indicator": "https://webstore.name", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cdfd20f6237e3892c0", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:25.910000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603369ad0e38e313883c4fa", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:56:58.037000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 4468, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eff46bdd371899ca5be7d7", "name": "CrypterX-gen | Video-lal.com | M. Brian Sabey \u2022 Hall Render | Rexxfield", "description": "Videolal results. Parked. Owner of domain has subsidiaries including Huge Domains. It's possible for attacker to post a 404 error page, park, post it for sale, malvertize. HoneyPotBot? \n\nFireeye. A bit much. william.ballenthin@fireeye.com\t\ncontain a resource (.rsrc) section moritz.raabe@fireeye.com. Overkill. What would Scooby Doo? Scooby!? \nTarget reports opening her MacBook Pro after it was replaced by Apple. It hadn't been in use. She opened it, surprised it was on, automatically connected to a store wifi (she was home) A worker was typing away in terminal. Fought hacker for recordings app containing Jeffrey Reimers aggressions. She lost. Terrified she murdered her MacBook by drowning & dismemberment. Big mistake. Cloned MacBook. Clicked on links trigger malicious downloads, network & DNS issues.", "modified": "2024-04-11T04:01:24.166000", "created": "2024-03-12T06:21:31.484000", "tags": [ "upatre malware", "rwi dtools", "page dow", "security", "bitfender", "yandex", "malware", "all octoseek", "av detections", "ids detections", "yara detections", "alerts", "file score", "fireeye", "injection", "worm", "trojan", "network", "poster", "honeybots", "united", "unknown", "win32upatre mar", "passive dns", "entries", "ipv4", "body", "artro", "generic malware", "formbook", "tag count", "threat report", "ip summary", "url summary", "generic", "hostnames", "pattern match", "ascii text", "png image", "root ca", "file", "authority", "indicator", "mitre att", "ck id", "class", "date", "enterprise", "hybrid", "accept", "general", "local", "click", "strings", "trident", "as47846", "germany unknown", "as2906 netflix", "scan endpoints", "domain", "urls", "files", "trojanspy", "mozilla", "dynamicloader", "medium", "title", "ms windows", "head", "intel", "inetsim http", "delete c", "show", "winnt", "copy", "powershell", "write", "next", "suspicious", "shop", "graph api", "status", "join", "vt community", "api key", "xcitium verdict", "cloud", "contacted", "contacted urls", "ssl certificate", "referrer", "historical ssl", "parent domain", "apple ios", "resolutions", "execution", "hacktool", "outbound connection", "detection list", "blacklist" ], "references": [ "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Win32.Renos/Artro", "display_name": "Win32.Renos/Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "I-Worm/Bagle.QE", "display_name": "I-Worm/Bagle.QE", "target": null }, { "id": "Worm.Bagle-44", "display_name": "Worm.Bagle-44", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "Win.Trojan.Generic-9897526-0", "display_name": "Win.Trojan.Generic-9897526-0", "target": null }, { "id": "Win.Trojan.Knigsfot-125", "display_name": "Win.Trojan.Knigsfot-125", "target": null }, { "id": "ALF:TrojanDownloader:Win32/Vadokrist.A", "display_name": "ALF:TrojanDownloader:Win32/Vadokrist.A", "target": null }, { "id": "Win.Trojan.Generic-9957168-0", "display_name": "Win.Trojan.Generic-9957168-0", "target": null }, { "id": "Win.Adware.RelevantKnowledge-9821121-0", "display_name": "Win.Adware.RelevantKnowledge-9821121-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "display_name": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1622, "FileHash-SHA1": 934, "FileHash-SHA256": 3289, "URL": 9605, "domain": 2321, "hostname": 2411, "CVE": 1, "email": 3 }, "indicator_count": 20186, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "738 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "HOSTEDBYAPPLIEDI.NET - Enom", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "Self whitelisting tool, domains moved within nginx.", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "nr-data.net [Apple Private Data Collection]", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "0-w5-cms.ultimate-guitar.com", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Out For Blood" ], "malware_families": [ "Artro", "Formbook", "Win.trojan.generic-9897526-0", "Win.trojan.generic-9957168-0", "Zbot", "Win32.renos/artro", "Win.adware.relevantknowledge-9821121-0", "Unix.trojan.darknexus-7679166-0", "Elf:mirai-gh\\ [trj]", "Blacknet", "Win32:crypterx-gen\\ [trj]", "Hacktool", "Mirai", "I-worm/bagle.qe", "Alf:trojandownloader:win32/vadokrist.a", "Trojanspy:win32/nivdort.de", "Quasar", "Fragtor", "Trojanspy", "Worm.bagle-44", "Bulz", "Win.trojan.knigsfot-125", "Ransom", "Maltiverse", "Generic", "Alf:heraklezeval:trojan:win32/neurevt", "Other:malware-gen\\ [trj]" ], "industries": [ "Civil society", "Healthcare", "Private sector" ], "unique_indicators": 61933 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/webstore.name", "whois": "http://whois.domaintools.com/webstore.name", "domain": "webstore.name", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cdfd20f6237e3892c0", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:25.910000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603369ad0e38e313883c4fa", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:56:58.037000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 4468, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f4ba867ec44a4dc0e6fc96", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com", "description": "Jiuxiu Live - High-quality beauty online video interactive community - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -porn dump. Performed tiny DNS test on affected target. \nDNS stuffing pornography. DNSpionage , custom browser, DNS tunneling encoding data, programs, protocols, DNS queries, responses, amplification attack; perform (DDoS) on server, flood attack, spoofing. Attack. Miles IT & affiliated logging inas target. Pitfall of being compromised for some; you won't speak to legitimate business unless you know & recognize voice. \nSome notations in references.", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-15T21:15:50.802000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f980ad16123b5d52f5f76f", "name": "DNS Hijacking - \u4e5d\u79c0\u76f4\u64ad-\u9ad8\u54c1\u8d28\u7f8e\u5973\u5728\u7ebf\u89c6\u9891\u4e92\u52a8\u793e\u533a -MilesIT.com [Report originated from octoseek]", "description": "", "modified": "2024-04-13T11:00:32.548000", "created": "2024-03-19T12:10:21.291000", "tags": [ "q htpps", "g htpps", "q https", "virustotal", "exif standard", "tiff image", "msie", "windows nt", "wow64", "slcc2", "media center", "default", "jpeg image", "search", "copy", "code", "write", "pecompact", "february", "packer", "delphi", "win32", "persistence", "execution", "next", "create c", "delete c", "intel", "ms windows", "pe32", "precreate read", "united", "show", "regsetvalueexa", "trojan", "markus", "mozilla", "write c", "json", "entries", "ascii text", "data", "as15169", "error", "malware", "win64", "denmark as32934", "ip hostname", "reverse ip", "lookup country", "as7018 att", "as14618", "as54113", "country code", "as36081 state", "redirect chain", "redirection", "location", "lakewood", "emails", "as name", "ssl certificate", "whois record", "k0pmbc", "spsfsb", "zwdk9d", "vwdzfe", "contacted", "referrer", "ntmzac", "historical ssl", "august", "hacktool", "core", "agent tesla", "emotet", "chaos", "ransomexx", "quasar", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "markmonitor", "epic games", "iana id", "contact phone", "domain status", "registrar whois", "registrar", "win32 exe", "python", "launchres", "win32 dll", "unrealengine", "detections type", "name", "bundled", "ctsu", "smokeloader", "privateloader", "relic", "monitoring", "startpage", "\u7f8e\u5973\u76f4\u64ad", "\u7f8e\u5973\u89c6\u9891", "\u7f8e\u5973\u4e3b\u64ad", "\u89c6\u9891\u804a\u5929", "\u89c6\u9891\u4ea4\u53cb", "\u7f8e\u5973\u4ea4\u53cb", "\u7f8e\u5973\u79c0\u573a", "\u6e05\u7eaf\u7f8e\u5973", "\u6027\u611f\u7f8e\u5973", "\u7f8e\u5973\u4e92\u52a8", "\u7f8e\u5973\u804a\u5929", "\u7f8e\u5973\u5728\u7ebf\u8868\u6f14", "\u7f8e\u5973\u76f4\u64ad\u95f4", "\u7f8e\u5973\u804a\u5929\u5ba4", "icp2021030667", "0110542", "copyright", "rights reserved", "resolutions", "contacted urls", "siblings domain", "siblings", "parent domain", "cname", "whitelisted", "status", "as15169 google", "asnone united", "servers", "aaaa", "body", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "site top", "heur", "alexa top", "safe site", "million", "million alexa", "site safe", "malicious site", "unsafe", "alexa", "riskware", "artemis", "blacknet rat", "quasar rat", "crack", "presenoker", "dapato", "stealer", "phish", "memscan", "nsis", "phishing", "bulz", "maltiverse", "trojanspy", "blacknet", "zbot", "aig", "unknown", "passive dns", "urls", "expiresthu", "gmt path", "scan endpoints", "encrypt", "dynamicloader", "high", "medium", "qaeaav12", "windows", "cape", "windows wget", "suspicious", "powershell", "canvas", "form", "showing", "all octoseek", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "cus cnr3", "olet", "l http", "wifi", "wifi access", "wifi hotspot", "wifi internet", "southwest wifi", "inflight", "inflight entertainment", "southwest", "comedy", "internet", "strong", "drama", "google chrome", "business select", "internet access", "apple safari", "book", "rapid", "love", "summer", "poppy", "floyd", "district", "jackson", "kevin", "live", "music", "upgrade", "gift", "lost", "carol", "canada", "cobalt strike", "malicious", "fragtor", "phishing paypal", "mail spammer" ], "references": [ "https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420", "tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate", "Conneted to Network: drcody@milesit.com | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com", "Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net", "Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357", "Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone.", "Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode.", "Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI", "'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight.", "'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile.", "'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better.", "Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing.", "Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone.", "'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew.", "Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha.", "Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim.", "Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case.", "Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles.", "Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's.", "Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation.", "Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with.", "Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her.", "I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found.", "Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check.", "You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer.", "Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless...", "Self whitelisting tool, domains moved within nginx." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Bulz", "display_name": "Bulz", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Fragtor", "display_name": "Fragtor", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [], "TLP": "white", "cloned_from": "65f4ba867ec44a4dc0e6fc96", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8753, "domain": 1525, "hostname": 3740, "FileHash-SHA256": 6746, "FileHash-MD5": 619, "FileHash-SHA1": 509, "SSLCertFingerprint": 3, "CVE": 8, "CIDR": 5, "email": 7 }, "indicator_count": 21915, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "736 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://webstore.name", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://webstore.name", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776631486.825529 }